https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199924#M37503 <P>Im fairly sure you do. Though below sk, if you can make it work, should suffice, but I was never able to get it going, even with TAC on the phone.</P> <P>Andy</P> <P><A href="https://support.checkpoint.com/results/sk/sk93938" target="_blank">https://support.checkpoint.com/results/sk/sk93938</A></P> Thu, 07 Dec 2023 02:05:39 GMT the_rock 2023-12-07T02:05:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199922#M37501 <P>do we need domain admin rights for the service account in Identity awareness</P> Thu, 07 Dec 2023 01:47:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199922#M37501 tavi0906 2023-12-07T01:47:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199923#M37502 <P>Please explore Identity Collector further as the preferred method.</P> <P><A href="https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics/Identity-Collector-Requirements.htm?tocpath=Identity%20Collector%7C_____1" target="_blank">Identity Collector - Requirements (checkpoint.com)</A></P> Thu, 07 Dec 2023 02:05:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199923#M37502 Chris_Atkinson 2023-12-07T02:05:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199924#M37503 <P>Im fairly sure you do. Though below sk, if you can make it work, should suffice, but I was never able to get it going, even with TAC on the phone.</P> <P>Andy</P> <P><A href="https://support.checkpoint.com/results/sk/sk93938" target="_blank">https://support.checkpoint.com/results/sk/sk93938</A></P> Thu, 07 Dec 2023 02:05:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199924#M37503 the_rock 2023-12-07T02:05:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199969#M37507 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/83845">@tavi0906</a>&nbsp; you can use the&nbsp;sk93938 mentioned by&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;.</P><P>&nbsp;</P><P>I'm using ad query in my enviroment and it's working properly.</P><P>You must configure the permissions for the service account in all ad servers, it's not necessary be a domain admin.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 07 Dec 2023 13:48:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199969#M37507 cassiomaciel 2023-12-07T13:48:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199980#M37509 <P>If you got that sk going, then it sefinitely would work : - )</P> <P>I dont know, I was never able to succeed at it, even with TAC help.</P> <P>Andy</P> Thu, 07 Dec 2023 14:50:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/199980#M37509 the_rock 2023-12-07T14:50:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/201251#M37840 <P>why do we need the domain admin rights for service account ? any reason&nbsp; ?</P><P>&nbsp;</P> Thu, 21 Dec 2023 02:59:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/201251#M37840 tavi0906 2023-12-21T02:59:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/201253#M37841 <P>It is not if you use the Identity Collector, and you should, as per the documentation that&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;shared:</P><P>&nbsp;</P><LI-CODE lang="markup">Requirements for Integration with Active Directory Windows Server must connect to the Active Directory (AD) domain controllers of the organization with DNS, LDAP, and DCOM. The Identity Collector requires an Active Directory (AD) user that belongs to the default Event Log Readers group. Note - An administrative role is not required for this user.</LI-CODE><P>&nbsp;</P> Thu, 21 Dec 2023 06:42:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/201253#M37841 Alex- 2023-12-21T06:42:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/201274#M37845 <P>According to the sk we shared, you do not need an account with admin right, but as I said, I tried this with few different clients (TAC was on the phone every time) and we could never get it working. Clearly, we missed something... : - )</P> <P>Andy</P> Thu, 21 Dec 2023 11:50:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/201274#M37845 the_rock 2023-12-21T11:50:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/201277#M37846 <P>You are talking about LDAP AU or something different?<BR />For LDAP AU admin permissions are not required.</P> Thu, 21 Dec 2023 12:22:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/do-we-need-domain-admin-rights-for-the-service-account-in/m-p/201277#M37846 Vincent_Bacher 2023-12-21T12:22:37Z