Least principal account for Western Digital My Cloud EX 4100 NAS Active Directory queries

I have two Western Digital My Cloud EX 4100 NAS devices within my company's network that are both added to Active Directory.

These drives require that an Active Directory account and password be used so that they can query Active Directory.

Using the principal of assigning the minimum rights what privileges do I need to assign to the Active Directory account that will be used by these two Western Digital NAS devices to query Active Directory?

For obvious reasons I don't want to use the domain administrator account or an account that has domain administrator rights for this if possible.

It appears that these NAS devices actually store the Active Directory account username and password that is used for interacting with Active Directory. This is an obvious security risk compared to simply using the domain administrator username and password once for adding a computer to an Active Directory domain (see the screenshot).

We are using a Server 2016 Active Directory environment.

Attached is the owner's manual for this NAS.

Please let me know if any further information is needed.

western-digitial-my-cloud-ex4100-477.pdf

WD-NAS-AD-ACCOUNT
IT GuyNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Why do you suspect it's such a risk? Who is this machine exposed to?
Let's assume, any domain user can access you NAS - they already have domain accounts, what would be won if the somehow got to the account, that is used for queries? Just tak an account that is not allowed to logon anywhere, but just on the NAS name.
0
IT GuyNetwork EngineerAuthor Commented:
I'm concerned that the password for the domain administrator account might be able to be hacked if I am using it for something like this.

What other options or other types of accounts that can be used that won't pose such a potential security risk?
0
kevinhsiehCommented:
Normally the account would need to be a domain user at most to query AD. I would try with an account that is a member of domain guests only. If that doesn't work, try domain user.
0
McKnifeCommented:
Nobody would ever consider to use a domain admin account for queries.
Just take a normal account and limit its logon workstation list to the NAS.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.