ADAudit Plus

Service Account Configuration

w w w. adauditplus.c om
 Table of Contents
1. New user, group, and GPO creation 1

1.1 Create a new user 1

1.2 Create a new group 1

1.3 Create a new domain level GPO and link it to all the audited computers 1

2. Privileges/permissions required for event log collection 2

2.1 Grant the user the Manage auditing and security log right 2

2.2 Make the user a member of the Event Log Readers group 3

3. Privileges/permissions required for automatic audit policy

and object level auditing configuration 5

3.1 Privileges/permissions required for Domain Controller auditing configuration 5

3.2 Privileges/permissions required for member server, workstation, and file 2

server auditing configuration 5

3.2.1 Make the user a member of the Group Policy Creator Owners group 5

3.2.2 Garnt the user, group management permissions 6

4. Privileges/permissions required for file server auditing 7

4.1 Make the user a member of the Power Users group 7

4.2 Grant the user Read permission on all audited shares 8

4.3 Grant the user DCOM and WMI permissions 10

4.4 Grant the user read permission over the c$ share (\\server_name\C$): 12

5. Other privileges/permissions required 12

Introduction
ADAudit Plus instantly starts to audit activities upon providing Domain Admin credentials. If you do not
want to provide Domain Admin credentials, follow the steps laid out in this guide to set-up the service
account to have only the least privileges required for auditing your environment.

Note: If you want to configure multiple domains in ADAudit Plus, we recommend creating separate
service accounts for each individual domain.

1. New user, group, and GPO creation

1.1 Create a new user
Log in to your Domain Controller with Domain Admin privileges Open Active Directory

Users and Computers Right click on your domain New User Name the user

as "ADAudit Plus".

1.2 Create a new group

Log in to your Domain Controller with Domain Admin privileges Open Active Directory

Users and Computers Right click on your domain New Group Name the group

as "ADAudit Plus Permission Group".

Add all the audited computers as members of the "ADAudit Plus Permission Group":

Right click on the "ADAudit Plus Permission Group" Properties Members Add all the

Domain Controllers, Windows servers and workstations that you wish to audit.

1.3 Create a new domain level GPO and link it to all the
audited computers
Since configuring permissions on individual computers is an elaborate process, a domain level

GPO is created and applied on all monitored computers.

Log in to your Domain Controller with Domain Admin privileges.

Create a new domain level GPO:

Open the Group Policy Management Console Right click on your domain Create a GPO

in this domain and link it here Name the GPO as "ADAudit Plus Permission GPO"

Remove Apply group policy permission for Authenticated Users group:

Click on the "ADAudit Plus Permission GPO" Navigate to the right panel, click on the

Delegation tab Advanced Click on Authenticated Users Remove the Apply group

policy permission.

1 www.adauditplus.com
 Add the "ADAudit Plus Permission Group" to the security filter settings of the

"ADAudit Plus Permission GPO":

Open the Group Policy Management Console Domain Select the "ADAudit Plus

Permission GPO" Navigate to the right panel, click on the Delegation tab Advanced

Add "ADAudit Plus Permission Group".

2. Privileges/permissions required for event log collection

2.1 Grant the user the Manage auditing and security log right
The Manage auditing and security log right allows the user to define object level auditing.

Log in to your Domain Controller with Domain Admin privileges Open the Group Policy

Management Console Right click on the "ADAudit Plus Permission GPO" Edit.

In the Group Policy Management Editor Computer Configuration Policies Windows

Settings Security Settings Local Policies User Rights Assignment.

Navigate to the right panel, right click on Manage auditing and security log Properties

Add the "ADAudit Plus" user.

2 www.adauditplus.com
2.2 Make the user a member of the Event Log Readers group
Members of the event log readers group will be able to read the event logs of all the audited computers.

For Domain Controllers:

Log in to your Domain Controller with Domain Admin privileges Open Active Directory

Users and Computers Builtin Container Navigate to the right panel, right click on

Event Log Readers Properties Members Add the "ADAudit Plus" user.

3 www.adauditplus.com
 For other computers (Windows servers and workstations):

a. Log in to your Domain Controller with Domain Admin privileges Open the Group Policy

Management Console Right click on the "ADAudit Plus Permission GPO" Edit.

b. In the Group Policy Management Editor Computer Configuration Preferences

Control Panel Settings Right click on Local Users and Groups New Local Group

Select Event Log Readers group under group name Add the "ADAudit Plus" user.

Note: To read the event logs, you also need to grant the "ADAudit Plus" user Read permission over

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security.

Log in to your Domain Controller with Domain Admin privileges Open the Group Policy

Management Console Right click on the "ADAudit Plus Permission GPO" Edit.

In the Group Policy Management Editor Computer Configuration Policies Windows

Settings Security Settings Right-click Registry Add Key.

In the Select Registry Key Window, navigate to MACHINE SYSTEM CurrentControlSet

Services EventLog Security Click OK Grant Read permission to

"ADAudit Plus" user Click Apply.

In the Add Object window, select Configure this key then Replace existing permissions on

all subkeys with inheritable permissions Click OK.

4 www.adauditplus.com
3. Privileges/permissions required for automatic audit
policy and object level auditing configuration
3.1 Privileges/permissions required for Domain Controller
auditing configuration
Granting the service account the following privileges/permissions, allows ADAudit Plus to

automatially configure the required audit policy and object level auditing settings in your

environment. ADAudit Plus does this by pushing the required settings via GPO, to the group which

contains all the monitored computers.

Log in to your Domain Controller with Domain Admin privileges Open the Group Policy

Management Console click on Default Domain Controllers Policy Navigate to the right

panel, click on the Delegation tab Add the ADAudit Plus User Provide permission

to Edit settings.

3.2 Privileges/permissions required for member server, workstation,

and file server auditing configuration
3.2.1 Make the user a member of the Group Policy Creator Owners group

Log in to your Domain Controller with Domain Admin privileges Open Active Directory

Users and Computers Click on Users Navigate to the right panel, right click on Group

Policy Creator Owners group Add the "ADAudit Plus" user as a member.

5 www.adauditplus.com
3.2.2 Grant the user, group management permissions

Log in to your Domain Controller with Domain Admin privileges Open Active Directory

User and Computers. Click on View and ensure that Advanced Features is enabled.

This will display the advanced security settings for selected objects in Active Directory

Users and Computers.

Right-click Users Properties Security Advanced Permissions Add In the

Permissions Entry for Users window, Select a principal: ADAudit Plus user Type: Allow

Applies to: This object and all descendant objects Select permissions: Create Group

objects and Delete Group objects.

Note: Use Clear all to remove all permissions and properties before selecting the

mentioned permissions.

6 www.adauditplus.com
 From the Active Directory User and Computers console Right-click Users Properties

Security Advanced Permissions Add In the Permission Entry for Users

window Select a principal: ADAudit Plus user Type: Allow Applies to: Descendant

Group objects Select property: Write Members.

Note: Use Clear all to remove all permissions and properties before selecting the mentioned property.

4. Privileges/permissions required for file server auditing

4.1 Make the user a member of the Power Users group
Members of the Power Users group will be able to discover shares residing on Windows file servers.

Log in to your Domain Controller with Domain Admin privileges Open the Group Policy

Management Console Right click on the "ADAudit Plus Permission GPO" Edit.

In the Group Policy Management Editor Computer Configuration Preferences

Control Panel Settings Right click on Local Users and Groups Add Local Group.

In the New Local Group Properties wizard, select Update under Action Select Power

Users group under group name Add the "ADAudit Plus" user.

7 www.adauditplus.com
4.2 Grant the user Read permission on all audited shares
There are two ways to grant the user Read permission on all the audited shares-

Make the user a Member of the Local Administrators group.

a. Login to any computer with Domain Admin privileges Open MMC console File

Add/Remove Snap-in Select Local Users and Groups Add Another computer

Add target computer

b. Select target computer Open Local Users and Groups Select Groups Right click

on administrators Properties Add "ADAudit Plus" user.

c. Repeat the above steps for every audited Windows file server/cluster.

8 www.adauditplus.com
 Grant the user both Share and NTFS, Read permission on every audited share.

a. Login to any computer with Domain Admin privileges Open MMC console File

Add/Remove Snap-in Select Shared Folders Add Another computer

Add target computer

b. Select target computer Select share Right click Properties Security

Edit Add the "ADAudit Plus" user Provide both Share and NTFS, Read permission.

c. Repeat the above steps for every audited share.

9 www.adauditplus.com
4.3 Grant the user DCOM and WMI permissions
Note: DCOM and WMI permissions are needed for file cluster auditing and WMI mode of

event collection, respectively.

Granting DCOM permission:

a. Log in to any computer with Domain Admin privileges Open Component Services

Connect to target computer Right click on target computer Properties COM Security.

b. Navigate to Launch and Activation Permissions Edit Limits Security Limits

Add the "ADAudit Plus" user and grant the following permissions:

Local Launch

Remote Launch

Local Activation

Remote Activation.

c. Repeat the steps for every audited computer.

Granting WMI permission:

a. Log in to any computer with Domain Admin privileges Run wmimgmt.msc Right click on

WMI Control (Local) Connect to target computer.

b. Right click on WMI Control (target computer) Properties Security +Root CIMV2

Security Add the "ADAudit Plus" user and grant the following permissions:

Execute Methods

Enable Account

Remote Enable

c. Click OK.

10 www.adauditplus.com
 d. Navigate to +Root +RSOP Computer Security Add the "ADAudit Plus" user and

grant the following permissions:

Execute Methods

Enable Account

Remote Enable

e. Click OK.

f. Repeat the steps for every audited computer.

11 www.adauditplus.com
Note: If multiple computers are audited, you may prefer automating the above process by running a

script through Group Policy. Please contact support@adauditplus.com for more details.

4.4 Grant the user read permission over the c$ share

(\\server_name\C$):
Note: Read permission over C$ share (\\server_name\C$) is needed to access NetApp C-Mode log files.

5. Other privileges/permissions required

Grant the user Read permission over the SYSVOL folder:

Read permission over the SYSVOL folder is needed for GPO Settings change auditing.

Note: By default, all Authenticated Users have read permission over the sysvol folder, if the

"ADAudit Plus" user does not, the Read permission has to be provided by following the

steps listed below.

Navigate to the sysvol folder (C:\Windows\SYSVOL\sysvol) Right click Properties

Sharing Advanced sharing Permissions Add the "ADAudit Plus" user Provide

Share Read permission.

12 www.adauditplus.com
 Grant the user Full control over the product installation folder:

Full control over the product installation folder is needed for ADAudit Plus to write in

the database.

a. Log in to the computer where ADAudit Plus is installed with Domain Admin privileges

Locate the product installation folder Right click Properties Security Edit Add the

"ADAudit Plus" user and provide full control.

Grant the user Full control over ADAudit Plus' archive folder:

Full control over the archive folder is needed for storing and retrieving archived data from

the database.

Note: By default, the Archive folder is stored in the installation folder (<Installation_folder>\

ManageEngine\ADAudit Plus\arhcive). If the Archive folder is saved elsewhere, NTFS Full control

permission needs to be provided by following the steps listed below.

a. To find out the location of the Archive Folder: Open ADAudit Plus Admin Archive Events

Scroll down to see the location.

b. Log in to target computer with Domain Admin privileges Locate the folder Right click

on the folder Properties Security Edit Add the ADAudit Plus User Provide NTFS

Full control permission.

Grant the user Full control over all ADAudit Plus Scheduled Reports folders:

Full control over a Scheduled Reports folder is needed for saving the scheduled report in the

specified location.

Note: By default, the Schedule Reports folder is stored in the installation folder (<Installation_folder>\

ManageEngine\ADAudit Plus). If the Schedule Reports folder is saved elsewhere, NTFS Full control

permission needs to be provided by following the steps listed below.

13 www.adauditplus.com
 a. To find out the location of a Scheduled Reports Folder: Open ADAudit Plus Admin

Schedule Reports Modify Schedule Report Scroll down to see the location.

b. Log in to target computer with Domain Admin privileges Locate the folder Right click

on folder Properties Security Edit Add the ADAudit Plus User Provide NTFS

Full control permission.

c. Repeat the steps on all Schedule Reports folders.

Grant the user Read and Execute permission over all ADAudit Plus' Alert Script folders:

Read and Execute permissions on a alert script folder is needed for executing script files

once an alert gets triggered.

Note: By default, the Alert Scripts folder is stored in the installation folder (<Installation_folder>\

ManageEngine\ADAudit Plus). If the Alerts Script folder is saved elsewhere, NTFS Read and Execute

permission needs to be provided by following the steps listed below.

a. To find out the location of a Folder: Open ADAudit Plus Configuration Modify Alert

Profile Scroll down to see the location.

b. Log in to target computer with Domain Admin privileges Locate the folder Right click

on folder Properties Security Edit Add the ADAudit Plus User Provide NTFS

Read and Execute permissions.

c. Repeat the steps on all Alert Script folders.

Grant the user DCOM and WMI permissions:

DCOM and WMI permissions are needed for WMI mode of event collection and for RSoP data

to be shown for Domain Controllers, Windows member servers and workstations.

a. To grant the user DCOM and WMI permissions, follow these steps.

14 www.adauditplus.com
 Our Products
AD360 | Log360 | ADManager Plus | ADSelfService Plus | DataSecurity Plus | M365 Manager Plus

ManageEngine ADAudit Plus is an IT security and compliance solution. With over 200 event-specific reports and

real-time email alerts, it provides in-depth knowledge about changes effected to both the content and configuration

of Active Directory, Azure AD and Windows servers. Additionally it also provides thorough access intelligence for

workstations and file servers (including NetApp and EMC).

To learn more about how ADAudit Plus can help you with all your Active Directory auditing needs, please visit:

https://www.manageengine.com/products/active-directory-audit/

Get Quote Download