ACS 5.1 Join AD Permissions Level requirement.

jkaliente · ‎04-28-2010

I've been testing new ACS 5.1 (appliances) and have an issue with joining to my AD. Only the top level administrator account will join the domain successfully (not any standard for adding a computer to AD). If anyone knows the 'correct' permissions level to set in AD, I would appreciate it.

The account tests good (test button), but when saving to join the Domain permanent, get error pop-up of:

-- Error while configuring Acgtive Directory: Using writable domain controller: HDQNCDC4.corp.maxxim.com Unexpected configuration or network error. Please try the --verbose option or run 'adinfo --diag' to diagnose the problem. Join to domain 'corp.maxxxim.com', zone 'null' failed. --

The app-account created for the ACS5.1 has permissions to create/delete Computers on all domains.

Our AD support summary:

It looks like the device is actually trying to write to Active Directory. This would be a concern and not the norm…..usually just a read function. Especially if the device is just passing through the credentials. When you open the case can you please ask Cisco what is being written to Active Directory and why. Also ask them the exact permissions required of the account needed for your device.

Javier Henderson · ‎04-28-2010

The account use to join ACS 5.1 to the domain should have Authenticate User or Computer Objects and Delete Computer Objects permission or any permission to add machines to the AD domain

jkaliente · ‎04-29-2010

The account does have these permissions. Still get the same error. See attached screen shot. Does Authenticated Users need special permissions ?