Views:

Grant sufficient permissions in Active Directory to enable user access control in Trend Vision One.

Permission Scope

The following table outlines the permission scope options available when configuring the Active Directory (on-premises) connector in Third-Party Integration.
Permission Scope
Description
Read
Allows you to sync Active Directory data, such as user lists and group memberships.
Important
Important
To use this permission scope, ensure you configure the Active Directory server connection using an Active Directory account with at least domain user permissions.
Read & Write
Allows you to:
  • Sync Active Directory data.
  • Perform user access control response actions, such as disabling user accounts and forcing password reset.
Important
Important
To use this permission scope, ensure you configure the Active Directory server connection using an Active Directory account with sufficient read and write permissions

Granting the Necessary Permissions to a Service Account

To enable user access control response actions on connected Active Directory accounts, you must configure the Active Directory server connection using a service account with sufficient permissions. You can grant the necessary permissions using one of the following three options.
  • Option 1: Assign the service account to an Active Directory security group with sufficient permissions. The following groups have sufficient permissions:
    • Administrators
    • Domain Admins
    • Enterprise Admins
    • Account Operators
      Tip
      Tip
      Trend Micro does not recommend assigning the service account to the Account Operators group. Account Operators cannot manage users or groups such as Administrators or the Server Operators group. To prevent incorrect permissions settings for critical accounts and resources, keep the Account Operators group membership empty and avoid using the group for delegated administration.
      For more information, see Microsoft documentation.
  • Option 2: Delegate the following Active Directory common task to the service account:
    • Create, delete, and manage user accounts
  • Option 3: Configure the following permission settings in Advanced Security Settings:
    Important
    Important
    Trend Micro does not recommend this option because it may become invalid unexpectedly as new features are added to Trend Vision One.
    Setting
    Value
    Principal
    Specify the service account used in Trend Vision One.
    Type
    Allow
    Applies to
    Descendant User objects
    Permissions
    Reset password
    Properties
    • Read pwdLastSet
    • Write pwdLastSet
    • Read userAccountControl
    • Write userAccountControl