What are the options when a script need permissions on multiple subdomains and root domain

Question

Hi,

Situation: Imagine we have a forest consisting of 3 domains (1 root domain and 2 sub domains) in a single forest

At the moment we installed Adaxes service in the root domain using a managed service account and added his service account to domain admins.

We then added the 2 subdomains to Adaxes and added their user to "domain admins" in each of their domains too.

As you can imagine, domain admins is by default a Global Security Group and therefore accept users of his domain only.

Need: Imagine we would like from a single custom command, to do things in multiple domains of the forest.

What are the options?

1. delegate each ad rights needed in the subdomains to the root domain account ? (more secure)

2. Add service account of the root domain to the "enterprise admins" group (We wouldn't want to do that...)

3. Any other ideas?

Answer 1

Hello,

Whenever you are using Adaxes, two layers of permissions are taken into account. First, the actual initiator must have the required permissions to perform the operation in Adaxes. Then there are permissions of the domain service account. For each domain Adaxes uses a dedicated account to perform operations in AD itself. The following article will be helpful: https://www.adaxes.com/help/PermissionsOfDomainServiceAccount.

Comments

Thanks,

to be more precise i want to run a scheduled task importing a csv containing a list of device in adaxes.

I would then like to search for those device in all the domains (virtual root search)

then i would like to set managedby and description property on those device based on info of the csv.

unfortunately those device could be in different domains.

At the moment I can run this script only in a single domain depending of the credentials used as RunAs.

---

Hello,

If the locations are the same for the devices in all the domains, you can directly import the devices to each of them in the script. There is no need to first create them, then set properties, etc. Unfortunately, we do not have such a script in our repository, but the following tutorial should be helpful: https://www.adaxes.com/help/ScheduleImportOfUsersFromCSV.

---

Hi, No, the devices already exist in different domains, i just have a list of device names in the csv, with owner but dont have any info of their location (Domain or OU...)

Thats why for each line in the CSV i want to search for them in the domain, and if they exist, update their properties, indenpendently of their location assuming they may be in domain A or B or C, so i'm facing the problem of the credentials we may use, because we may need either

1. a user account that is running the script that is admin in every domain to update the properties when the device is found or
2. search for all those device in indenpendent script, running in the context of each domains (3 scheduled tasks instead of 1)

Is it more clear?

---

Hello,

By default, all scripts in Adaxes are executed with the credentials of the Adaxes service account. It always has unrestricted permissions in Adaxes and thus you need not to worry about that.