Least principal account for Western Digital My Cloud EX 4100 NAS Active Directory queries

I have two Western Digital My Cloud EX 4100 NAS devices within my company's network that are both added to Active Directory.

These drives require that an Active Directory account and password be used so that they can query Active Directory.

Using the principal of assigning the minimum rights what privileges do I need to assign to the Active Directory account that will be used by these two Western Digital NAS devices to query Active Directory?

For obvious reasons I don't want to use the domain administrator account or an account that has domain administrator rights for this if possible.

It appears that these NAS devices actually store the Active Directory account username and password that is used for interacting with Active Directory. This is an obvious security risk compared to simply using the domain administrator username and password once for adding a computer to an Active Directory domain (see the screenshot).

We are using a Server 2016 Active Directory environment.

Attached is the owner's manual for this NAS.

Please let me know if any further information is needed.

western-digitial-my-cloud-ex4100-477.pdf

WD-NAS-AD-ACCOUNT
IT GuyNetwork EngineerAsked:
Who is Participating?
 
McKnifeCommented:
Nobody would ever consider to use a domain admin account for queries.
Just take a normal account and limit its logon workstation list to the NAS.
1
 
McKnifeCommented:
Why do you suspect it's such a risk? Who is this machine exposed to?
Let's assume, any domain user can access you NAS - they already have domain accounts, what would be won if the somehow got to the account, that is used for queries? Just tak an account that is not allowed to logon anywhere, but just on the NAS name.
0
 
IT GuyNetwork EngineerAuthor Commented:
I'm concerned that the password for the domain administrator account might be able to be hacked if I am using it for something like this.

What other options or other types of accounts that can be used that won't pose such a potential security risk?
0
 
kevinhsiehCommented:
Normally the account would need to be a domain user at most to query AD. I would try with an account that is a member of domain guests only. If that doesn't work, try domain user.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.