One of my customer (during PoC) doesnt want to provide Account Operators user for CPPM to join the domain. According to them its insecure since such user has the permission to create accounts etc in AD.
So how you guys do it? are other customers ok with providing such account for domain join? or is there any other type of account that can also be used for domain joining?
i guess the first thing is that you only need ClearPass node to join the domain if your want to do EAP-PEAP authentication and not for EAP-TLS auth which should be the way to do it.
The second thing is, in case you need to join the domain, its a one time operation and for that you need to have admin rights. After ClearPass has joined, you can delete the that admin account that was used, its up to you.
Finally the domain bind (when creating an auth source) requires a service account with read permissions.
Actually is is only needed for EAP-PEAP-MSCHAPv2 to decode the encrypted passwords.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.