AD Service Account Permissions for AD Spoke

MJ30
Tera Contributor

I am setting up an IntegrationHub configuration for AD and having some issues with the AD Service Account.

 

ServiceNow provide some reference to the required permission set however the customer will not allow Domain Admin access.

 

Microsoft AD spoke – Permissions required to execute actions 

 

The Service Account has the account_operator role assigned.

 

The credential test fails when targeting the AD server however is successful when testing against the MID server.

 

Is there a base permission set that can be applied?

 

5 REPLIES 5

Harini17
Tera Expert

We had the exact same problem and got into a call with ServiceNow. So for actions listed in the below KB article, yes you need admin access to the DC(Domain Controller). Our AD team is not  ready to give this access to the Service Account and so we have requested ServiceNow if an alternate solution exists. But haven't heard anything positive from them yet.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1005260

Hi @Harini17, any updates on the topic? I have same requirement at client. We checked all permissions and only Domain Controller admin could execute any of the actions mentioned in the article. The client refuses to give this role to the Service Account user.

Shreya Shah
ServiceNow Employee
ServiceNow Employee

Please use only Microsoft Active Directory v2 Spoke, and not Microsoft AD Spoke for all future developments.

 

All spokes do is mimic actions required to be performed on the third party. At the bare minimum whatever role you require to perform those actions via PowerShell commandlets, you will need at least need those for the spoke credential as well.

Nithin Thumalap
ServiceNow Employee
ServiceNow Employee

I reiterate Shreya comments and in addition to it,

In order to test the credential, i would recommend to run the action and see its response.

You can also test the credential by directly executing the AD cmdlet in MID server.