Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

AD user rights for ISE


I know this is well know but we have all dealt with an IT department that needs to know why this or that privilege is needed for this account.


On Cisco documentation this is said:

The Active Directory username that you provide when joining to an Active Directory domain should be predefined in Active Directory and must have one of the following permissions:

Add the workstation to the domain to which you are trying to connect.

On the computer where the Cisco ISE account was created, establish permissions for creating or deleting computer objects before joining Cisco ISE to the domain.

Permissions for searching users and groups that are required for authentication.

After you join Cisco ISE to the Active Directory domain, you will still need these permissions to:

Join any secondary Cisco ISE servers to this domain

Back up or restore data

Upgrade Cisco ISE to a higher version, if the upgrade process involves a backup and restore


I have used users with "Permissions for searching users and groups that are required for authentication" and have received an error that said that needed a user with rights to add computers to the domain. When this user type was created then I had no problem.

So the real questions are:

Why does ISE need this permission?

What is the foundation for this?

why does ISE need to add workstations if the only thing ISE should be doing is searching for users?

Hall of Fame Super Silver

The ISE system is adding

The ISE system is adding itself (or each Policy Service Node in the deployment if you have a distributed deployment) as a domain computer.

New Member

Oh ok....And if the server is

Oh ok....

And if the server is added manually as a domain computer then the permission can be used only to search user and groups??

Hall of Fame Super Silver

Hmm I haven't tried it.You do

Hmm I haven't tried it.

You do have to perform the add to domain action from ISE - you can't have ISE added manually from the AD domain controller or member server and then have it automagically work.

Once you've done that you might be able to lower the user permissions to only search.

CreatePlease to create content