AD Service Account Permissions for AD Spoke
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2023 02:04 AM
I am setting up an IntegrationHub configuration for AD and having some issues with the AD Service Account.
ServiceNow provide some reference to the required permission set however the customer will not allow Domain Admin access.
Microsoft AD spoke – Permissions required to execute actions
The Service Account has the account_operator role assigned.
The credential test fails when targeting the AD server however is successful when testing against the MID server.
Is there a base permission set that can be applied?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2024 06:57 AM
We had the exact same problem and got into a call with ServiceNow. So for actions listed in the below KB article, yes you need admin access to the DC(Domain Controller). Our AD team is not ready to give this access to the Service Account and so we have requested ServiceNow if an alternate solution exists. But haven't heard anything positive from them yet.
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1005260
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2025 02:08 AM
Hi @Harini17, any updates on the topic? I have same requirement at client. We checked all permissions and only Domain Controller admin could execute any of the actions mentioned in the article. The client refuses to give this role to the Service Account user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2024 12:37 AM
Please use only Microsoft Active Directory v2 Spoke, and not Microsoft AD Spoke for all future developments.
All spokes do is mimic actions required to be performed on the third party. At the bare minimum whatever role you require to perform those actions via PowerShell commandlets, you will need at least need those for the spoke credential as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2025 02:55 AM
I reiterate Shreya comments and in addition to it,
In order to test the credential, i would recommend to run the action and see its response.
You can also test the credential by directly executing the AD cmdlet in MID server.