When creating a storage account, Nerdio will automatically create a service account to join the storage account to AD. For a particular client I have, AD service accounts can only be created by another process and placed in a specific OU. Need a method to select a predefined AD service account to join the storage account to AD.
Ability to select a service account to create an AD Joined storage account
3
I believe the functionality you're looking for already exists. Under Settings > Integrations > Directory you can create multiple configurations for which account to use to join the domain as well as which OU to place the objects in:
When you are creating the storage account, you can choose which one you would like to use for joining to the domain:
The issue is not with the Directory profile account used to perform the domain join and create the AD Service account, it is with the AD service account that is created in the AD OU to represent the Storage Account. They are OK with Nerdio creating computer objects, but not service accounts. They have a separate process to create service accounts and they keep them in a separate OU with restrictive permissions so no one can alter them.
If you are ok with it creating a computer account, you can check that box for Nerdio to create a computer account instead of the user account for Azure storage. Alternatively, you could join the file share to AD manually so that you can create and manage the service account according to your organization's policies.
We would prefer if Nerdio handled the automation of creating the storage account and AD integration because the steps are very tedious to do manually. When using a computer account, the security team may object to blocking the GPO to set the password rotation and updating manually would create additional processes to maintain.
The default or best practice is to use a service account where we would fall under the clients practices on changing the password. If the default will not work, then it will create a larger discussion on storage management we would like to avoid.
Sorry, Brian Bresnahan, I'm not sure I'm following what it is you're looking for here. You'd like to use a service account, not computer account, for joining the storage account to the domain, and you would like Nerdio to handle this process for you, but you do not want Nerdio to create the account that's being used? While I understand that best practices for some clients may be to change passwords, that's a limitation of the AD Integration, not Nerdio. If you took Nerdio out of the process and did it manually, you would still need to not have the password change on that account.
We would like Nedio to be able to select a pre-created service account instead of creating one
You could manually create the service account Enable AD DS authentication for Azure Files | Microsoft Learn, but it would still be created in the same way that Nerdio would do it where it uses the Kerberos key for the password. This is a requirement for the AD DS authentication to work, not a Nerdio requirement. From there, you could create a scripted action to do the rest so it can be automated.
Please sign in to leave a comment.
Comments (7 comments)