What permissions does the service account need to make changes to active directory?

Question

I am working with Adaxes for the first time. Looking to set up the service account so it can actually make changes to AD not just to register the Adaxes Service. I would rather not grant the account Domain Admin. How does Adaxes suggest I permission the account. As I've stated, I have already granted the permission to register the Adaxes service. What I am unable to do is have adaxes make changes to AD.

Comments

Hello Mightycabal,

Did you ever find the correct configuration for the account you are using? We are also trying to understand what persmissions the account needs, are they granted automatically by being a member of the administrators group or is delegation required on the account?

---

Hello,

The Adaxes service account (specified during Adaxes installation) only requires the permissions to publish Adaxes service. No other permissions are required for the account. For details on how to grant the permissions, see section How do I grant permissions to publish Adaxes service of our installation guide: https://www.adaxes.com/help/InstallationGuide/#grant-permissions-to-publish-adaxes-service.

At the same time, all operations in a domain managed by Adaxes are performed using the account specified for the domain. It is recommended to use an account that is a member of the BUILTIN\Administrators group. However, it is not a requirement. It can be any account that has native AD permissions to perform the operations you need in Adaxes. The permissions need to be granted to the account manually in AD. Adaxes itself does not do anything about it. For information on how to check/change the account for a domain, see https://www.adaxes.com/help/ChangeManagedDomainServiceAccount.

For your information, during installation, the domain of the Adaxes service account is registered automatically using the account credentials. It is recommended to then change it to different account.

---

We decided to use Domain Admin on a separate service account.

Answer 1

Hello,

All Active Directory operations in the domain managed by Adaxes are executed using the credentials of the account used to manage the domain (domain service account). The domain service account must have enough native Active Directory permissions to perform all the required operations. It is recommended to use a member of the BUILTIN/Administrators group as the domain service account. You can use the Adaxes service account (specified during the installation) to manage a domain. However, Microsoft does not recommend using accounts with elevated permissions to run services, thus a separate account for a managed domain is recommended. For information on how to change the service account for a managed domain, have a look at the following help article: https://www.adaxes.com/help/ChangeManagedDomainServiceAccount.

Comments

Hello, Using the BUILTIN/Administators group for service account is not recomended by Microsoft or any AD Engineer who knows what the group is for. Since one can not mangage Sites and Services and other tasks not related to users, computers and groups, people shouldn't be granting Domain Admin either. I'm going to try Account Operator however, microsoft recomends not using that built in group and tayloring rights through Group Policy Users Rights assingments. I and other are asking what rights to set. Adaxes should consider this and propose the correct user rights assingments neccissary for the service account.

---

Hello,

As we mentioned in our previous reply, it is not recommended to use the Adaxes service account to manage the domain in Adaxes. You should have the Adaxes service account with the minimum permissions required to register and unregister the Adaxes service in Active Directory. Then you should create another account that will be used to manage the domain in Adaxes (domain service account). All the operations in the domain managed by Adaxes are performed using the credentials of the domain service account, not the Adaxes service account. The domain service account must have all the required native Active Directory permissions to perform the whole range of operations in the workflows you configure in Adaxes. This is why it is recommended to add the domain service account (not the Adaxes service account) to the BUILTIN/Administrators group. In addition to that, please, note that Adaxes uses the role-based access control model where you can grant required permissions to users via Adaxes security roles. It means that if you specify a member of the BUILTIN/Administrators group as a domain service account, the Adaxes users will not have the same permissions unless you delegate the permissions using Adaxes security roles. For more details, have a look at the following article: https://www.adaxes.com/active-directory_role-based-security.htm. Also, the following tutorials should be helpful: https://www.adaxes.com/tutorials_DelegatingPermissions.htm.