Dear experts,

Looking at the official IBM guide for installing the IGI Active Directory Standard Adapter the requirements related to the AD user account to be embedded within the IGI AD Adapter are fairly vague: 

The Active Directory Adapter requires administrator authority. IBM Security Identity Governance and Intelligence requests might fail if the adapter is not given sufficient authority to perform the requested task. The Active Directory Adapter can be installed within the managed domain or in a different domain. If the adapter is installed in a different domain, trusts must be configured on both the domain that is managed and the domain where the adapter is installed. For more information about configuring trusts for domains, see the Microsoft documentation that corresponds to your operating system.

We tried to avoid assigning Domain Admins to the account, so we followed what mentioned within the guide granting the user account with the "Account Operators" group (Active Directory Security Groups - Windows security) Unfortunately this didn't work (e.g. Error: 0x80070005 - Access is denied.)

Do you know, if there is a more detailed instruction about what should be the valid standard rights/permissions to be assigned to the AD user account for the IGI AD Adapter? I know that probably it depends on how AD was configured, but assuming to have a standard AD environment, what should be the right configuration of the AD Account? Are we really forced to assign Domain Admins rights? 

Thanks in advance.

------------------------------
Andrea Martone
------------------------------

I would assume any role that has c r u d permissions to users in the domain and group membership permissions would be least amount of permissions as those are the operations you will be performing on the domain accounts/groups.

------------------------------
Tim TamDude
------------------------------

Original Message:
Sent: Wed November 03, 2021 06:23 AM
From: Andrea Martone
Subject: Installing IGI Active Directory Standard Adapter

Dear experts,

Looking at the official IBM guide for installing the IGI Active Directory Standard Adapter the requirements related to the AD user account to be embedded within the IGI AD Adapter are fairly vague: 

The Active Directory Adapter requires administrator authority. IBM Security Identity Governance and Intelligence requests might fail if the adapter is not given sufficient authority to perform the requested task. The Active Directory Adapter can be installed within the managed domain or in a different domain. If the adapter is installed in a different domain, trusts must be configured on both the domain that is managed and the domain where the adapter is installed. For more information about configuring trusts for domains, see the Microsoft documentation that corresponds to your operating system.

We tried to avoid assigning Domain Admins to the account, so we followed what mentioned within the guide granting the user account with the "Account Operators" group (Active Directory Security Groups - Windows security) Unfortunately this didn't work (e.g. Error: 0x80070005 - Access is denied.)

Do you know, if there is a more detailed instruction about what should be the valid standard rights/permissions to be assigned to the AD user account for the IGI AD Adapter? I know that probably it depends on how AD was configured, but assuming to have a standard AD environment, what should be the right configuration of the AD Account? Are we really forced to assign Domain Admins rights? 

Thanks in advance.

------------------------------
Andrea Martone
------------------------------

Let me add a few comments to this - and yes - this is basically the answer.

That said - we should never recommend to use a Domain Admin these days for obvious reasons (think Zero Trust and lateral movement..) - but this is actually the recommendation that you historical got from Microsoft IIRC (I definitely hope that has changed :-)).

A had this discussion internally some time ago - and I believe the right approach is that the authorizations rights used for user management is a problem that resides in the managed systems domain - we can give some advice - but the final arbiter is the supplier of the solution - and of course what custom additions that is added locally.

Be aware that this is my PERSONAL opinion - I am not able to speak IBM on this - so if you need an official answer you may want to raise it through IBM Support or you IBM representative.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Thu November 04, 2021 04:05 PM
From: Tim TamDude
Subject: Installing IGI Active Directory Standard Adapter

I would assume any role that has c r u d permissions to users in the domain and group membership permissions would be least amount of permissions as those are the operations you will be performing on the domain accounts/groups.

------------------------------
Tim TamDude

Original Message:
Sent: Wed November 03, 2021 06:23 AM
From: Andrea Martone
Subject: Installing IGI Active Directory Standard Adapter

Dear experts,

Looking at the official IBM guide for installing the IGI Active Directory Standard Adapter the requirements related to the AD user account to be embedded within the IGI AD Adapter are fairly vague: 

The Active Directory Adapter requires administrator authority. IBM Security Identity Governance and Intelligence requests might fail if the adapter is not given sufficient authority to perform the requested task. The Active Directory Adapter can be installed within the managed domain or in a different domain. If the adapter is installed in a different domain, trusts must be configured on both the domain that is managed and the domain where the adapter is installed. For more information about configuring trusts for domains, see the Microsoft documentation that corresponds to your operating system.

We tried to avoid assigning Domain Admins to the account, so we followed what mentioned within the guide granting the user account with the "Account Operators" group (Active Directory Security Groups - Windows security) Unfortunately this didn't work (e.g. Error: 0x80070005 - Access is denied.)

Do you know, if there is a more detailed instruction about what should be the valid standard rights/permissions to be assigned to the AD user account for the IGI AD Adapter? I know that probably it depends on how AD was configured, but assuming to have a standard AD environment, what should be the right configuration of the AD Account? Are we really forced to assign Domain Admins rights? 

Thanks in advance.

------------------------------
Andrea Martone
------------------------------

Many thanks Franz,

Indeed we were forced by IT Security to not use Domain Admin, and this led us to try to find a standard configuration for the AD account to be used for IGI AD Standard adapter. 

We indeed raised a ticket to IBM Support some days ago, but still not valid answers from them...

------------------------------
Andrea Martone
------------------------------

Original Message:
Sent: Fri November 05, 2021 03:47 AM
From: Franz Wolfhagen
Subject: Installing IGI Active Directory Standard Adapter

Let me add a few comments to this - and yes - this is basically the answer.

That said - we should never recommend to use a Domain Admin these days for obvious reasons (think Zero Trust and lateral movement..) - but this is actually the recommendation that you historical got from Microsoft IIRC (I definitely hope that has changed :-)).

A had this discussion internally some time ago - and I believe the right approach is that the authorizations rights used for user management is a problem that resides in the managed systems domain - we can give some advice - but the final arbiter is the supplier of the solution - and of course what custom additions that is added locally.

Be aware that this is my PERSONAL opinion - I am not able to speak IBM on this - so if you need an official answer you may want to raise it through IBM Support or you IBM representative.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Thu November 04, 2021 04:05 PM
From: Tim TamDude
Subject: Installing IGI Active Directory Standard Adapter

I would assume any role that has c r u d permissions to users in the domain and group membership permissions would be least amount of permissions as those are the operations you will be performing on the domain accounts/groups.

------------------------------
Tim TamDude

Original Message:
Sent: Wed November 03, 2021 06:23 AM
From: Andrea Martone
Subject: Installing IGI Active Directory Standard Adapter

Dear experts,

Looking at the official IBM guide for installing the IGI Active Directory Standard Adapter the requirements related to the AD user account to be embedded within the IGI AD Adapter are fairly vague: 

The Active Directory Adapter requires administrator authority. IBM Security Identity Governance and Intelligence requests might fail if the adapter is not given sufficient authority to perform the requested task. The Active Directory Adapter can be installed within the managed domain or in a different domain. If the adapter is installed in a different domain, trusts must be configured on both the domain that is managed and the domain where the adapter is installed. For more information about configuring trusts for domains, see the Microsoft documentation that corresponds to your operating system.

We tried to avoid assigning Domain Admins to the account, so we followed what mentioned within the guide granting the user account with the "Account Operators" group (Active Directory Security Groups - Windows security) Unfortunately this didn't work (e.g. Error: 0x80070005 - Access is denied.)

Do you know, if there is a more detailed instruction about what should be the valid standard rights/permissions to be assigned to the AD user account for the IGI AD Adapter? I know that probably it depends on how AD was configured, but assuming to have a standard AD environment, what should be the right configuration of the AD Account? Are we really forced to assign Domain Admins rights? 

Thanks in advance.

------------------------------
Andrea Martone
------------------------------

I believe your expectations are wrong - IBM Support can clarify the situation - but not fix it as the problem is lying within your own organization and the Windows AD product.

But let me clarify what I do in projects when resolving this problem. You need to find the AD Security/User Management responsible in your organization (you will need to talk to them anyhow to get the integration right from a process perspective) . Then you need to ask them what is needed if you cannot use a Domain Admin - this is their job to guide in most normal organizations.

Also - be aware that certain operations in the adapter may need to have some elevated user rights available (I remember that at one customer they have setup the AD Domain such that we needed not only Domain Admin to manage Exchange account - but Enterprise Admin - no so good...) - so you need to prepared to take these discussion with both your internal security department as some of these restrictions may not be something that can just be resolved (and the security department also needs to be aware of so that can remedy the situation e.g. give guidelines on segmentation of network/firewalling so that even if you need Domain Admin it can be remedied).

One way to solve this is to have a very secure network segment/domain (not AD domain...) where your IGI solution resides together with a dedicated AD domain controller - this also solves a lot of performance issues you may get into - but again - you need to discuss this with the AD responsible.

HTH 


------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Fri November 05, 2021 04:09 AM
From: Andrea Martone
Subject: Installing IGI Active Directory Standard Adapter

Many thanks Franz,

Indeed we were forced by IT Security to not use Domain Admin, and this led us to try to find a standard configuration for the AD account to be used for IGI AD Standard adapter. 

We indeed raised a ticket to IBM Support some days ago, but still not valid answers from them...

------------------------------
Andrea Martone

Original Message:
Sent: Fri November 05, 2021 03:47 AM
From: Franz Wolfhagen
Subject: Installing IGI Active Directory Standard Adapter

Let me add a few comments to this - and yes - this is basically the answer.

That said - we should never recommend to use a Domain Admin these days for obvious reasons (think Zero Trust and lateral movement..) - but this is actually the recommendation that you historical got from Microsoft IIRC (I definitely hope that has changed :-)).

A had this discussion internally some time ago - and I believe the right approach is that the authorizations rights used for user management is a problem that resides in the managed systems domain - we can give some advice - but the final arbiter is the supplier of the solution - and of course what custom additions that is added locally.

Be aware that this is my PERSONAL opinion - I am not able to speak IBM on this - so if you need an official answer you may want to raise it through IBM Support or you IBM representative.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Thu November 04, 2021 04:05 PM
From: Tim TamDude
Subject: Installing IGI Active Directory Standard Adapter

I would assume any role that has c r u d permissions to users in the domain and group membership permissions would be least amount of permissions as those are the operations you will be performing on the domain accounts/groups.

------------------------------
Tim TamDude

Original Message:
Sent: Wed November 03, 2021 06:23 AM
From: Andrea Martone
Subject: Installing IGI Active Directory Standard Adapter

Dear experts,

Looking at the official IBM guide for installing the IGI Active Directory Standard Adapter the requirements related to the AD user account to be embedded within the IGI AD Adapter are fairly vague: 

The Active Directory Adapter requires administrator authority. IBM Security Identity Governance and Intelligence requests might fail if the adapter is not given sufficient authority to perform the requested task. The Active Directory Adapter can be installed within the managed domain or in a different domain. If the adapter is installed in a different domain, trusts must be configured on both the domain that is managed and the domain where the adapter is installed. For more information about configuring trusts for domains, see the Microsoft documentation that corresponds to your operating system.

We tried to avoid assigning Domain Admins to the account, so we followed what mentioned within the guide granting the user account with the "Account Operators" group (Active Directory Security Groups - Windows security) Unfortunately this didn't work (e.g. Error: 0x80070005 - Access is denied.)

Do you know, if there is a more detailed instruction about what should be the valid standard rights/permissions to be assigned to the AD user account for the IGI AD Adapter? I know that probably it depends on how AD was configured, but assuming to have a standard AD environment, what should be the right configuration of the AD Account? Are we really forced to assign Domain Admins rights? 

Thanks in advance.

------------------------------
Andrea Martone
------------------------------

Many thanks Tim,

Apparently, as reported by Microsoft, this role (i.e. Account Operator) should contain the permissions you mentioned:

"The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights."

The problem is that actually it doesn't work. It would seem that there isn't a standard role foreseen by Microsoft that can be used for the IGI AD Standard Adapter.

------------------------------
Andrea Martone
------------------------------

Original Message:
Sent: Thu November 04, 2021 04:05 PM
From: Tim TamDude
Subject: Installing IGI Active Directory Standard Adapter

I would assume any role that has c r u d permissions to users in the domain and group membership permissions would be least amount of permissions as those are the operations you will be performing on the domain accounts/groups.

------------------------------
Tim TamDude

Original Message:
Sent: Wed November 03, 2021 06:23 AM
From: Andrea Martone
Subject: Installing IGI Active Directory Standard Adapter

Dear experts,

Looking at the official IBM guide for installing the IGI Active Directory Standard Adapter the requirements related to the AD user account to be embedded within the IGI AD Adapter are fairly vague: 

The Active Directory Adapter requires administrator authority. IBM Security Identity Governance and Intelligence requests might fail if the adapter is not given sufficient authority to perform the requested task. The Active Directory Adapter can be installed within the managed domain or in a different domain. If the adapter is installed in a different domain, trusts must be configured on both the domain that is managed and the domain where the adapter is installed. For more information about configuring trusts for domains, see the Microsoft documentation that corresponds to your operating system.

We tried to avoid assigning Domain Admins to the account, so we followed what mentioned within the guide granting the user account with the "Account Operators" group (Active Directory Security Groups - Windows security) Unfortunately this didn't work (e.g. Error: 0x80070005 - Access is denied.)

Do you know, if there is a more detailed instruction about what should be the valid standard rights/permissions to be assigned to the AD user account for the IGI AD Adapter? I know that probably it depends on how AD was configured, but assuming to have a standard AD environment, what should be the right configuration of the AD Account? Are we really forced to assign Domain Admins rights? 

Thanks in advance.

------------------------------
Andrea Martone
------------------------------

The important restriction is the "most types of accounts" - that is not good enough when doing user management in general....

Microsoft is still dependent on Domain Admins for certain work on AD - the catch is actually that you should never ever use a Domain Admin to log on to anything else than a domain controller through a controlled proxy/jump host...

You can of course create a user to manage accounts in AD that works - but this may require some work to determine exactly what user rights are needed - this may also be challenge if you have customized the AD schema and/or using non standard ACLs on AD (or you are managing a forest - and whatever security complexity that may have been implemented in your environment).

So again - my best advice is to talk to your AD experts - eventually have them to setup logging to see what fails - but be prepared that requires good understanding to cover all usecases in your solution..

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Fri November 05, 2021 04:05 AM
From: Andrea Martone
Subject: Installing IGI Active Directory Standard Adapter

Many thanks Tim,

Apparently, as reported by Microsoft, this role (i.e. Account Operator) should contain the permissions you mentioned:

"The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights."

The problem is that actually it doesn't work. It would seem that there isn't a standard role foreseen by Microsoft that can be used for the IGI AD Standard Adapter.

------------------------------
Andrea Martone

Original Message:
Sent: Thu November 04, 2021 04:05 PM
From: Tim TamDude
Subject: Installing IGI Active Directory Standard Adapter

I would assume any role that has c r u d permissions to users in the domain and group membership permissions would be least amount of permissions as those are the operations you will be performing on the domain accounts/groups.

------------------------------
Tim TamDude

Original Message:
Sent: Wed November 03, 2021 06:23 AM
From: Andrea Martone
Subject: Installing IGI Active Directory Standard Adapter

Dear experts,

Looking at the official IBM guide for installing the IGI Active Directory Standard Adapter the requirements related to the AD user account to be embedded within the IGI AD Adapter are fairly vague: 

The Active Directory Adapter requires administrator authority. IBM Security Identity Governance and Intelligence requests might fail if the adapter is not given sufficient authority to perform the requested task. The Active Directory Adapter can be installed within the managed domain or in a different domain. If the adapter is installed in a different domain, trusts must be configured on both the domain that is managed and the domain where the adapter is installed. For more information about configuring trusts for domains, see the Microsoft documentation that corresponds to your operating system.

We tried to avoid assigning Domain Admins to the account, so we followed what mentioned within the guide granting the user account with the "Account Operators" group (Active Directory Security Groups - Windows security) Unfortunately this didn't work (e.g. Error: 0x80070005 - Access is denied.)

Do you know, if there is a more detailed instruction about what should be the valid standard rights/permissions to be assigned to the AD user account for the IGI AD Adapter? I know that probably it depends on how AD was configured, but assuming to have a standard AD environment, what should be the right configuration of the AD Account? Are we really forced to assign Domain Admins rights? 

Thanks in advance.

------------------------------
Andrea Martone
------------------------------

Dear Franz, I really appreciate your support on this topic. We just restarted our discussion with the AD experts and your suggestions were absolutely precious. If something "standard" will pop out from the resolution I will share that with the community. In the meanwhile thanks again.

------------------------------
Andrea Martone
------------------------------

Original Message:
Sent: Fri November 05, 2021 04:36 AM
From: Franz Wolfhagen
Subject: Installing IGI Active Directory Standard Adapter

The important restriction is the "most types of accounts" - that is not good enough when doing user management in general....

Microsoft is still dependent on Domain Admins for certain work on AD - the catch is actually that you should never ever use a Domain Admin to log on to anything else than a domain controller through a controlled proxy/jump host...

You can of course create a user to manage accounts in AD that works - but this may require some work to determine exactly what user rights are needed - this may also be challenge if you have customized the AD schema and/or using non standard ACLs on AD (or you are managing a forest - and whatever security complexity that may have been implemented in your environment).

So again - my best advice is to talk to your AD experts - eventually have them to setup logging to see what fails - but be prepared that requires good understanding to cover all usecases in your solution..

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Fri November 05, 2021 04:05 AM
From: Andrea Martone
Subject: Installing IGI Active Directory Standard Adapter

Many thanks Tim,

Apparently, as reported by Microsoft, this role (i.e. Account Operator) should contain the permissions you mentioned:

"The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights."

The problem is that actually it doesn't work. It would seem that there isn't a standard role foreseen by Microsoft that can be used for the IGI AD Standard Adapter.

------------------------------
Andrea Martone

Original Message:
Sent: Thu November 04, 2021 04:05 PM
From: Tim TamDude
Subject: Installing IGI Active Directory Standard Adapter

I would assume any role that has c r u d permissions to users in the domain and group membership permissions would be least amount of permissions as those are the operations you will be performing on the domain accounts/groups.

------------------------------
Tim TamDude

Original Message:
Sent: Wed November 03, 2021 06:23 AM
From: Andrea Martone
Subject: Installing IGI Active Directory Standard Adapter

Dear experts,

Looking at the official IBM guide for installing the IGI Active Directory Standard Adapter the requirements related to the AD user account to be embedded within the IGI AD Adapter are fairly vague: 

The Active Directory Adapter requires administrator authority. IBM Security Identity Governance and Intelligence requests might fail if the adapter is not given sufficient authority to perform the requested task. The Active Directory Adapter can be installed within the managed domain or in a different domain. If the adapter is installed in a different domain, trusts must be configured on both the domain that is managed and the domain where the adapter is installed. For more information about configuring trusts for domains, see the Microsoft documentation that corresponds to your operating system.

We tried to avoid assigning Domain Admins to the account, so we followed what mentioned within the guide granting the user account with the "Account Operators" group (Active Directory Security Groups - Windows security) Unfortunately this didn't work (e.g. Error: 0x80070005 - Access is denied.)

Do you know, if there is a more detailed instruction about what should be the valid standard rights/permissions to be assigned to the AD user account for the IGI AD Adapter? I know that probably it depends on how AD was configured, but assuming to have a standard AD environment, what should be the right configuration of the AD Account? Are we really forced to assign Domain Admins rights? 

Thanks in advance.

------------------------------
Andrea Martone
------------------------------