Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

LDAP Account Permission

what permission does the LDAP account need in our Active Directory?

  • Email Security
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

LDAP Account Permission

Did some digging..

The account does NOT have to be a domain admin

Turns out the account I'm using is a member of Account Operators.  AO is an standard group in AD, a description is here:

http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx

8 REPLIES

LDAP Account Permission

Assuming you're just using it for the various queries, just read access... generally a user that is a member of Domain Users and nothing else should work.

New Member

LDAP Account Permission

When the account is Domain Admins things work

When the account is only Domain Users things don't work

when I say things work or don't work I mean a group query in an Outgoing Policy is not kicking in, so in other words we say if a user is in a group called "Super Duper Users" then do something to their mail, well our IronPort account needs to be a Domain Admin in order to do a lookup in Active Directory, I don't get why as even Domain Users have read only permissions

so off to experiment

New Member

LDAP Account Permission

I'm glad i found this, I could not get it to work with the LDAP account user being a domain user. Did you find a solution to this? I would prefer not to have another admin account.

Thanks

New Member

LDAP Account Permission

Mike

Our case is still open as we are trying to convince IronPort support this is still an issue, and not working as expected.  I am beginning to think that the engieener may not know how his LDAP account is permissioned on the backend since it may have been configured by another group.  Also sometimes in the lab people set things up with Domain Admin permissions you know just "to get things working", and then they never go back to make them secure.

anyway, more as the news develops

New Member

LDAP Account Permission

So we spoke with John over at IronPort support he is one of our favorite Support Engineers well up until now, LOL, he confirmed that the IronPort LDAP account indeed needs to be a Domain Admin unless we contact Microsoft and they can tell us how to set it up differently he also recommended some utilities along the lines LDP and ADSI Edit to see if we can get to the OUs with that account.  I told him we can use our IronPort account in read only mode (ie not Domain Admin) using those utilities and browser any group membership we need, it's only through the IronPort appliances that it doesn't work when it's not a Domain Admin.

We will be contacting Microsoft for sure to get this looked at, at this time having a "service" account be a Domain Admin is not acceptable.

LDAP Account Permission

Did some digging..

The account does NOT have to be a domain admin

Turns out the account I'm using is a member of Account Operators.  AO is an standard group in AD, a description is here:

http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx

New Member

LDAP Account Permission

Ken, I love you man !!! that works, now to call IronPort Tech Support and edumecate them, LOL

New Member

Re: LDAP Account Permission

It's odd that it doesn't work for you as a Domain User, because that's exactly how we have it configured here (I just checked). It works just fine for us. I suspect that there's something different about the fundamental protection settings of our respective ADs, but that's just a guess. I'm just the e-mail guy, I don't mess with AD.

++Don

9300
Views
0
Helpful
8
Replies