0 votes

I am working with Adaxes for the first time. Looking to set up the service account so it can actually make changes to AD not just to register the Adaxes Service. I would rather not grant the account Domain Admin. How does Adaxes suggest I permission the account. As I've stated, I have already granted the permission to register the Adaxes service. What I am unable to do is have adaxes make changes to AD.

by (1.0k points)
0

Hello Mightycabal,

Did you ever find the correct configuration for the account you are using? We are also trying to understand what persmissions the account needs, are they granted automatically by being a member of the administrators group or is delegation required on the account?

0

Hello,

The Adaxes service account (specified during Adaxes installation) only requires the permissions to publish Adaxes service. No other permissions are required for the account. For details on how to grant the permissions, see section How do I grant permissions to publish Adaxes service of our installation guide: https://www.adaxes.com/help/InstallationGuide/#grant-permissions-to-publish-adaxes-service.

At the same time, all operations in a domain managed by Adaxes are performed using the account specified for the domain. It is recommended to use an account that is a member of the BUILTIN\Administrators group. However, it is not a requirement. It can be any account that has native AD permissions to perform the operations you need in Adaxes. The permissions need to be granted to the account manually in AD. Adaxes itself does not do anything about it. For information on how to check/change the account for a domain, see https://www.adaxes.com/help/ChangeManagedDomainServiceAccount.

For your information, during installation, the domain of the Adaxes service account is registered automatically using the account credentials. It is recommended to then change it to different account.

0

We decided to use Domain Admin on a separate service account.

1 Answer

0 votes
by (14.1k points)

Hello,

All Active Directory operations in the domain managed by Adaxes are executed using the credentials of the account used to manage the domain (domain service account). The domain service account must have enough native Active Directory permissions to perform all the required operations. It is recommended to use a member of the BUILTIN/Administrators group as the domain service account. You can use the Adaxes service account (specified during the installation) to manage a domain. However, Microsoft does not recommend using accounts with elevated permissions to run services, thus a separate account for a managed domain is recommended. For information on how to change the service account for a managed domain, have a look at the following help article: https://www.adaxes.com/help/ChangeManagedDomainServiceAccount.

0

Hello, Using the BUILTIN/Administators group for service account is not recomended by Microsoft or any AD Engineer who knows what the group is for. Since one can not mangage Sites and Services and other tasks not related to users, computers and groups, people shouldn't be granting Domain Admin either. I'm going to try Account Operator however, microsoft recomends not using that built in group and tayloring rights through Group Policy Users Rights assingments. I and other are asking what rights to set. Adaxes should consider this and propose the correct user rights assingments neccissary for the service account.

0

Hello,

As we mentioned in our previous reply, it is not recommended to use the Adaxes service account to manage the domain in Adaxes. You should have the Adaxes service account with the minimum permissions required to register and unregister the Adaxes service in Active Directory. Then you should create another account that will be used to manage the domain in Adaxes (domain service account). All the operations in the domain managed by Adaxes are performed using the credentials of the domain service account, not the Adaxes service account. The domain service account must have all the required native Active Directory permissions to perform the whole range of operations in the workflows you configure in Adaxes. This is why it is recommended to add the domain service account (not the Adaxes service account) to the BUILTIN/Administrators group. In addition to that, please, note that Adaxes uses the role-based access control model where you can grant required permissions to users via Adaxes security roles. It means that if you specify a member of the BUILTIN/Administrators group as a domain service account, the Adaxes users will not have the same permissions unless you delegate the permissions using Adaxes security roles. For more details, have a look at the following article: https://www.adaxes.com/active-directory_role-based-security.htm. Also, the following tutorials should be helpful: https://www.adaxes.com/tutorials_DelegatingPermissions.htm.

Related questions

0 votes
1 answer

We originally installed Adaxes and assigned the Adaxes Service user to the Domain Admins group. We are now locking down that group and have removed the Adaxes Serivce from ... to do things. What rights does Adaxes Service need in order to administer users?

asked Jul 23, 2021 by cobaltcu (20 points)
0 votes
1 answer

I belive we may have opened a ticket for this question in the past but I can't find the answer. We have a need to delay changing user attributes until their ... title, and department until the scheduled date. Any help would be much much appreciated. Thanks!

asked Jan 13, 2022 by trwhalen (70 points)
0 votes
0 answers

We have delegated updating user properties in AD and the usrs have requested those changes updated in the GAL. Is ther ea way to do this in Adaxes?

asked Feb 13, 2020 by Derek.Axe (480 points)
0 votes
0 answers

Softerra Adaxes does not extend the AD schema. Moreover, Softerra Adaxes does not store its data in Active Directory and doesn't modify the native permissions assigned in ... Adaxes, you can use Active Directory just as you did before the product installation.

asked Jun 17, 2009 by Adaxes (560 points)
0 votes
1 answer

When Adaxes runs the command "Deactivate Microsoft 365 account of the user: set Sign-In status to 'Blocked', revoke all licenses" also revoke the sessions in Azure? For reference, it is the "Revoke sessions" button in the Azure portal:

asked 1 day ago by jmatthews (190 points)
3,548 questions
3,239 answers
8,232 comments
547,814 users