Grant sufficient permissions in Active Directory to enable user access control in Trend Vision One.
Permission Scope
The following table outlines the permission scope options available when configuring the Active Directory (on-premises) connector in Third-Party Integration.
Permission Scope
|
Description
|
||
Read
|
Allows you to sync Active Directory data, such as user lists and group memberships.
|
||
Read & Write
|
Allows you to:
|
Granting the Necessary Permissions to a Service Account
To enable user access control response actions on connected Active Directory accounts, you must configure the Active Directory server connection using a service account with sufficient permissions. You can grant the necessary
permissions using one of the following three options.
-
Option 1: Assign the service account to an Active Directory security group with sufficient permissions. The following groups have sufficient permissions:
-
Administrators
-
Domain Admins
-
Enterprise Admins
-
Account Operators
Tip
Trend Micro does not recommend assigning the service account to the Account Operators group. Account Operators cannot manage users or groups such as Administrators or the Server Operators group. To prevent incorrect permissions settings for critical accounts and resources, keep the Account Operators group membership empty and avoid using the group for delegated administration.For more information, see Microsoft documentation.
-
-
Option 2: Delegate the following Active Directory common task to the service account:
-
Create, delete, and manage user accounts
-
-
Option 3: Configure the following permission settings in Advanced Security Settings:
Important
Trend Micro does not recommend this option because it may become invalid unexpectedly as new features are added to Trend Vision One.SettingValuePrincipalSpecify the service account used in Trend Vision One.TypeAllowApplies toDescendant User objectsPermissionsReset passwordProperties- Read pwdLastSet
- Write pwdLastSet
- Read userAccountControl
- Write userAccountControl