Any Websense Gurus?
I've seen that some of you have deployed Websense in your companies and I have just one question -
Does it REALLY require a frickin' DOMAIN ADMIN account to run?
Our network engineer is in charge of the Websense server and he insists that it will only work as a Domain Admin user and Websense support agrees and won't help unless we follow the guidelines of using a domain admin. 9 times out of 10, when I see software documentation stating that Domain Admin is required, it's usually not; figuring out what needs to be delegated to the service account is enough. I just don't understand what it is Websense needs to access for web filtering and reporting.
I'm kind of pissed that I have to waste my time with this and I'll be pushing to move to another solution next year, but for now, this is on my plate and I'm not going to allow another domain admin account unless there is absolutely no choice.
Any input from you Websense guys would be appreciated.
Thanks...
Does it REALLY require a frickin' DOMAIN ADMIN account to run?
Our network engineer is in charge of the Websense server and he insists that it will only work as a Domain Admin user and Websense support agrees and won't help unless we follow the guidelines of using a domain admin. 9 times out of 10, when I see software documentation stating that Domain Admin is required, it's usually not; figuring out what needs to be delegated to the service account is enough. I just don't understand what it is Websense needs to access for web filtering and reporting.
I'm kind of pissed that I have to waste my time with this and I'll be pushing to move to another solution next year, but for now, this is on my plate and I'm not going to allow another domain admin account unless there is absolutely no choice.
Any input from you Websense guys would be appreciated.
Thanks...
IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
Comments
-
Megadeth4168
Member Posts: 2,157
I'm not sure if the following FAQ selections are going to satisfy your answer or not.
Question:
So if the machine is already logged in as Admin, the services should be ok with it
being a local system login?
Answer:
In Windows Services, Websense User Service still needs to be configured to run
under a Domain Admin account when AD is in mixed mode. However, when AD
runs in native mode, User Service can run as a Local System account because
the domain credentials will be configured in the Directory Service settings of
Websense Manager
Question:
Does the Websense User Service account need Domain Administrator rights?
Answer:
Websense User Service can use a Domain User account to pull directory objects
under most circumstances. However, if the Domain User account does not pull
the directory objects as expected, then it may be necessary to use Domain
Administrator account rights. See Websense KB 980 for additional information
DC Agent and User Service permissions
In most situations, Websense, Inc. recommends that you grant domain administrator access rights to both DC Agent and User Service. These services only monitor information; they do not change anything in the domain.
If you are receiving DC Agent or User Service errors, you can enable directory service auditing to find out which user or group objects Websense software is trying to access, and which access attempts are being denied. If you cannot grant domain administrator rights to DC Agent and User Service, do the following:
1. Create a user account with a meaningful name (such as Websense) in your domain. Refer to Microsoft documentation for configuring your domain controller. Although it is possible to use an existing account, it is preferable to have a dedicated Websense account. No special privileges are required. The account has no function other than to provide a security context for directory object access.
2. Set the password for the new user to never expire, and then make a record of the user name and password. You will need this information again later in the process.
3. In the Windows Control Panel, select Administrative Tools > Services. The Services dialog box opens.
4. Select Websense DC Agent in the list, and then click Stop.
5. Select Websense User Service, and then click Stop.
6. Double-click Websense DC Agent.
7. Click the Log On or Log On As tab, and then select This account.
8. Enter the user name of the Websense user account created in step 1. Some environments require that you enter the name in the format user@domain.com.
9. Enter and confirm the password for the account, and then click OK.
10. Repeat the previous steps for the DC Agent service.
11. Restart the Websense services:
1. Select the Websense User Service and click Start.
2. Select the Websense DC Agent and click Start.