This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tavi0906
Participant
‎2023-12-06 05:47 PM

do we need domain admin rights for the service account in Identity awareness

do we need domain admin rights for the service account in Identity awareness

0 Kudos
8 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-12-06 06:05 PM

Please explore Identity Collector further as the preferred method.

Identity Collector - Requirements (checkpoint.com)

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2023-12-06 06:05 PM

Im fairly sure you do. Though below sk, if you can make it work, should suffice, but I was never able to get it going, even with TAC on the phone.

Andy

https://support.checkpoint.com/results/sk/sk93938

0 Kudos
cassiomaciel
Contributor
‎2023-12-07 05:48 AM
In response to the_rock

@tavi0906  you can use the sk93938 mentioned by @the_rock .

 

I'm using ad query in my enviroment and it's working properly.

You must configure the permissions for the service account in all ad servers, it's not necessary be a domain admin.

 

 

 

0 Kudos
the_rock
Legend
Legend
‎2023-12-07 06:50 AM
In response to cassiomaciel

If you got that sk going, then it sefinitely would work : - )

I dont know, I was never able to succeed at it, even with TAC help.

Andy

0 Kudos
tavi0906
Participant
‎2023-12-20 06:59 PM
In response to cassiomaciel

why do we need the domain admin rights for service account ? any reason  ?

 

0 Kudos
Alex-
Advisor
Advisor
‎2023-12-20 10:42 PM
In response to tavi0906

It is not if you use the Identity Collector, and you should, as per the documentation that @Chris_Atkinson shared:

 

Requirements for Integration with Active Directory

Windows Server must connect to the Active Directory (AD) domain controllers of the organization with DNS, LDAP, and DCOM.

The Identity Collector requires an Active Directory (AD) user that belongs to the default Event Log Readers group.


Note - An administrative role is not required for this user.

 

0 Kudos
the_rock
Legend
Legend
‎2023-12-21 03:50 AM
In response to tavi0906

According to the sk we shared, you do not need an account with admin right, but as I said, I tried this with few different clients (TAC was on the phone every time) and we could never get it working. Clearly, we missed something... : - )

Andy

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2023-12-21 04:22 AM
In response to the_rock

You are talking about LDAP AU or something different?
For LDAP AU admin permissions are not required.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events