hello team,
could you provide me the permission requirements for Icinga Agent and Icinga PowerShell Service when it comes to using a Domain user.
What should be requested? What type of Domain account.
NT AUTHORITY\NetworkService is forbidden.
mj
There are no permission requirements for icinga’s agent itself (for powershell I don’t know since we not using it). It depends only on your plugins and their requirements. I’d simply create an AD user and configure icinga service to run as this user. And then identify any additional requirements and add according grants to that user.
hello Roland,
tell me plz if I will staid using NT AUTHORITY\NetworkService but with disabled seImpersonatePrivilege.
Would it be an issue?
mj
As already mentioned, it belongs to your check plugins and their permission requirements.
May Domain Adminstator put some permission like process, network or storage to you?
what about gMSA account with JEA ?
Source for Icinga:
How to JEA with build-in Icinga feature: https://icinga.com/docs/icinga-for-windows/latest/doc/130-JEA/01-JEA-Profiles/
Source for AD:
JEA: Overview of Just Enough Administration (JEA) - PowerShell | Microsoft Docs
gMSA: Secure group managed service accounts | Microsoft Docs