Hello TrueNAS Community,
I’m wondering if the account used to join Windows Active Directory does need to be a domain admin? I’m currently trying to reduce the use of dom admin accounts and and would like to use accounts with the least necessary privileges instead.
I found this list of permissions in an old Reddit thread. Is it still correct?
The exact permissions required for the service account are as follows:
* Reset password
* Read and write account restrictions
* Read and write DNS host name attributes
* Validated write to DNS host name
* Validated write to service principal name
* Write servicePrincipalName
I don’t believe so. However your join account does need permissions over the object. I’m lazy and normally give it full control but I’m sure you could be more granular with the permissions if you wish.
1 Like
There are so many conflicting thoughts on this. My $.02, I find it simpler to perform the joining using a Domain Admin account then trying to hunt through all the subtle permissions that MS has. Keep in mind that the account is only used to perform the join and is NOT used by the system after that as the system will sync via secure communications with the AD controllers and the Domain Admins group will be added to the local Administrators group so that it can be managed. I agree with your approach but is the juice worth the squeezing and I do not give my day to day account Domain Admin privileges, I reserve that for only a few select accounts.
1 Like