@Aidan_Luby , there are two different accounts referenced: one, as you described it, with the "Event Log Readers" permission that is assigned to the IdentityCollector. The LDAP Account unit is an additional account necessary to determine group memberships in AD.

Perhaps same rights would work for both, but it is not defined anywhere in documentation that I was able to find.

For IDC usage you need a user with LDAP read in the LDAP AU and a user with LDAP read + Event Log Readers Group on IDC.
For sure the most implementations will use the same user on the AU, as on the IDC, because one user can serve both.

If you also use the AU for Remote Access, then you might also need write on LDAP if the users shall be able to change their own passwords if they expire. But this is a different story 

Thank you @Norbert_Bohusch . It makes perfect sense, but I was looking for some pointer to the Check Point's official references to this data, as one of my clients has to justify the rights they grant to accounts and I've seen nothing but admin requirements for LDAP AU.

If you happen to come across such a document, please let me know.

BTW, I prefer to use separate accounts for these two functions to simplify differentiation in the tracking their actions in AD logs, but this is just me. 

Hi Vladimir,

This is an old post but were you ale to find documented informations regarding this? I have almost the same question: 

Moving from AD query (with an Account User with High privileges on the AD) to Identity Collector 

That is fine that Idnetity Collector needs a read only user account, but we still require a user for the LDAP account unit used by the Gateways.

Thanks

Hi @DR_74 ,

Unfortunately, the very limited guidelines we have on LDAP AU is limited to either making those full domain admin (which I reject as an exceptionally bad idea) or an account with slightly more limited rights described here in sk93938 "Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Server 2008 and higher."

Even as described in sk93938, the account has too many rights for my taste. I cannot guarantee that, but I am pretty sure it would work if you create a Group Policy that will be applied to that account to strip from it RDP, logon locally and shutdown and reboot server capabilities.

For the account unit user you need just read for the whole AD.

@Norbert_Bohusch , when you create the AU with "AD read all" and then, during AD Query implementation, specifying same user account, are you not getting prompt that "the user is not a domain admin?"

Do you happen to have a reference to the Check Point sk describing the use of "AD Read All" account for AUs? I would really like to see that.

Thank you,

Vladimir

He said he is moving from AD Query to IDC and then you will not need more.

For AD Query there is sk93938, which outlines the needed rights for this user.

True that, but I do not recall seeing CP document stating this AU requirement specifically for IDC configuration.

If you can point me to it, I'd be much obliged.

I do not, but it looks like I'll be implementing IDC for one of my clients within a month and may update this thread then.

hey,

This is the only thing I found when we started to look and implement IA with IC.

Hope it helps...

"Working with Active Directory Domains in the Identity Collector

To add new Active Directory Domain in the Identity Collector:

1. Open the Identity Collector application.
2. At the top, click Domains.
3. From the top toolbar, click New Domain ().

4. Enter the Domain name to show in the Identity Collector.
5. (Optional) Enter the comment.
6. Enter the Domain account credentials - Username and Password.