Forum Discussion

HoldTheLine's avatar
8 years ago

Active Directory for 2.7.3 appliances - "Full domain administrative rights are required."

We are working with our Windows team to get AD set up on our appliances. They are 5230s  running 2.7.3 (Redhat).   Being security focused we work from a least privilage standpoint, so  when Veritas provided this technote:

https://www.veritas.com/support/en_US/article.000097924

Our Windows team said "No way". Mostly  to this:

Notes:
Full domain administrative rights are required.

We have been working with our BCS and trying to get resources to speak on this, and it has been hit and miss while we wait for the stars to align so I thought I would throw it out here - is anyone using AD with appliances?  And if so can you shed some light on the actual rights required?  It's hard to tell from that technote, and to be honest the documentation I have seen so far has been sort of vague, but stating that Full domain admin rights are required could mean either:

 

a) Any user that logs into AD to use the appliance (not likely to happen in most environments)

b) maybe it only applies to the first step in the configuraiton? i.e. this one:

Settings > Authentication > ActiveDirectory > configure <domain> <user>

 

If that is a one time thing that is only required at setup time, i.e. get one of the domain admins to run it for us, it *might* fly.  Although they might also demand to know what Veritas needs that amount of access to allow non-privilaged users to maintain a system.

 

Any thoughts on this?

 

 

 

 

1 Reply

  • any solution that says it requires domain admin privileges is a lazy solution. imho.

    find out the exact permission/s it requires then you can assign those individual permissions without giving the key to the kingdom.

    SQL Server 2014 admins when creating clusters would say they need domain admin rights. i proved them wrong when i drilled down exactly what permissions are required!