0 votes

I am working with Adaxes for the first time. Looking to set up the service account so it can actually make changes to AD not just to register the Adaxes Service. I would rather not grant the account Domain Admin. How does Adaxes suggest I permission the account. As I've stated, I have already granted the permission to register the Adaxes service. What I am unable to do is have adaxes make changes to AD.

by (40 points)

1 Answer

0 votes
by (6.7k points)

Hello,

All Active Directory operations in the domain managed by Adaxes are executed using the credentials of the account used to manage the domain (domain service account). The domain service account must have enough native Active Directory permissions to perform all the required operations. It is recommended to use a member of the BUILTIN/Administrators group as the domain service account. You can use the Adaxes service account (specified during the installation) to manage a domain. However, Microsoft does not recommend using accounts with elevated permissions to run services, thus a separate account for a managed domain is recommended. For information on how to change the service account for a managed domain, have a look at the following help article: https://www.adaxes.com/help/ChangeManagedDomainServiceAccount.

0

Hello, Using the BUILTIN/Administators group for service account is not recomended by Microsoft or any AD Engineer who knows what the group is for. Since one can not mangage Sites and Services and other tasks not related to users, computers and groups, people shouldn't be granting Domain Admin either. I'm going to try Account Operator however, microsoft recomends not using that built in group and tayloring rights through Group Policy Users Rights assingments. I and other are asking what rights to set. Adaxes should consider this and propose the correct user rights assingments neccissary for the service account.

0

Hello,

As we mentioned in our previous reply, it is not recommended to use the Adaxes service account to manage the domain in Adaxes. You should have the Adaxes service account with the minimum permissions required to register and unregister the Adaxes service in Active Directory. Then you should create another account that will be used to manage the domain in Adaxes (domain service account). All the operations in the domain managed by Adaxes are performed using the credentials of the domain service account, not the Adaxes service account. The domain service account must have all the required native Active Directory permissions to perform the whole range of operations in the workflows you configure in Adaxes. This is why it is recommended to add the domain service account (not the Adaxes service account) to the BUILTIN/Administrators group. In addition to that, please, note that Adaxes uses the role-based access control model where you can grant required permissions to users via Adaxes security roles. It means that if you specify a member of the BUILTIN/Administrators group as a domain service account, the Adaxes users will not have the same permissions unless you delegate the permissions using Adaxes security roles. For more details, have a look at the following article: https://www.adaxes.com/active-directory_role-based-security.htm. Also, the following tutorials should be helpful: https://www.adaxes.com/tutorials_DelegatingPermissions.htm.

Related questions

0 votes
1 answer

We originally installed Adaxes and assigned the Adaxes Service user to the Domain Admins group. We are now locking down that group and have removed the Adaxes Serivce from ... to do things. What rights does Adaxes Service need in order to administer users?

asked Jul 23, 2021 by cobaltcu (20 points)
0 votes
1 answer

I belive we may have opened a ticket for this question in the past but I can't find the answer. We have a need to delay changing user attributes until their ... title, and department until the scheduled date. Any help would be much much appreciated. Thanks!

asked Jan 13 by trwhalen (70 points)
0 votes
0 answers

We have delegated updating user properties in AD and the usrs have requested those changes updated in the GAL. Is ther ea way to do this in Adaxes?

asked Feb 13, 2020 by Derek.Axe (440 points)
0 votes
1 answer

We'll be updating over 14K accounts with data (adding data to a virtual attribute) using a scheduled task but I don't want the updates to trigger Business Rules and flood the Adaxes log with entries. Is there an easy way to prevent this?

asked Apr 12 by sandramnc (820 points)
0 votes
0 answers

Softerra Adaxes does not extend the AD schema. Moreover, Softerra Adaxes does not store its data in Active Directory and doesn't modify the native permissions assigned in ... Adaxes, you can use Active Directory just as you did before the product installation.

asked Jun 17, 2009 by Adaxes (380 points)
2,807 questions
2,541 answers
6,615 comments
65,307 users