none
Question about the domain user settings

    Question

  • Hello,

    I was wondering if it is ok to use an account that is a domain admin? technet says use a readonly account, but does that mean it has to be a domain user and not an admin? Please let me know, thank you.

    Tuesday, December 22, 2015 2:02 AM

All replies

  • Hi

    You could use a domain admin account, but the product was designed to work with a user account with least privileges. The user account just needs to be see the objects in the domain.

    HTH

    ATA Team


    Gershon Levitz [MSFT]

    Tuesday, December 22, 2015 5:55 PM
    Moderator
  • From a security perspective, you should not use an account that is a member of the domain admins group for anything other than administering a domain controller and members of privileged groups. This has been Microsoft's official guidance since 2003. It has taken on more importance with the increasing use--and success--of Pass-the-Hash and similar privilege escalation attacks.
    Tuesday, January 12, 2016 11:13 AM
  • From a security perspective, you should not use an account that is a member of the domain admins group for anything other than administering a domain controller and members of privileged groups. This has been Microsoft's official guidance since 2003. It has taken on more importance with the increasing use--and success--of Pass-the-Hash and similar privilege escalation attacks.

    Thanks for the response.

    I still do not exactly understand though. Could you explain exactly what domain group the user used for ATA should be a member of? `Read only Domain Controller` group?

     
    Monday, January 18, 2016 2:01 AM
  • Hi

    The just needs to be a member of the Domain Users group. You need to make sure the user has read access to all of the objects in the domains. If you have configured custom ACLs on specific OUs, you need to make sure this user has read to those OUs. 

    For ATA to detect bulk deletion of objects in the domain, the user will need read permission on the Deleted Objects container. See the following topic on setting permissions on the deleted objects container,  View or Set Permissions on a Directory Object topic.

    HTH

    ATA Team



    Gershon Levitz [MSFT]

    Monday, January 18, 2016 11:51 AM
    Moderator
  • Hi

    The just needs to be a member of the Domain Users group. You need to make sure the user has read access to all of the objects in the domains. If you have configured custom ACLs on specific OUs, you need to make sure this user has read to those OUs. 

    For ATA to detect bulk deletion of objects in the domain, the user will need read permission on the Deleted Objects container. See the following topic on setting permissions on the deleted objects container,  topic.

    HTH

    ATA Team



    Gershon Levitz [MSFT]

    Thanks! That helps a lot.

    Actually, I have one last question though. What if I was using a WorkGroup domain? What kind of domain user account would I have to use for that deployment? Would it have to be a local account?

    Tuesday, January 19, 2016 6:49 AM
  • You have to use an account that have read access to the domain other wise ATA would not be able to read information from the domain

    kind regards

    Mattias

    Wednesday, March 23, 2016 4:51 PM