Chat now with support
Chat mit Support

Enterprise Reporter 3.5 - Installation and Deployment Guide

Product Overview Installation Considerations for Enterprise Reporter Installing and Configuring Enterprise Reporter Managing Your Enterprise Reporter Deployment Troubleshooting Issues with Enterprise Reporter Appendix: Database Content Wizard Appendix: Encryption Key Manager Appendix: Log Viewer

Optimize Nested Group Membership Collection

Depending on the reports that will be run, you may need to collect data to show nested group memberships. It is more efficient to collect to group members through Active Directory® discoveries than using the nested group membership options in individual discoveries of other types. This also helps avoid collecting the same accounts in multiple discoveries. The recommended practice for collecting nested group members is to:
Collect accounts from each domain of interest (one discovery per domain, and be sure to include all other data that you need from that domain). This results in the groups and members in the domain being collected once.
If a domain has groups with members from other domains for which you do not have separate discoveries, you should collect foreign group members to ensure complete data.
Do not collect group members in NTFS, Registry, or MS SQL discoveries, if you will have all the information needed for reporting from the Active Directory or Exchange discoveries.
* 
NOTE: If you are not running Active Directory or Exchange discoveries, you will need to include the nested group members in NTFS, Registry, or MS SQL discoveries.

Optimize Nested Group Membership Collection for Azure and Office 365 Discoveries

Depending on the reports that will be run, you may need to collect data to show nested group memberships. It is more efficient to collect group members through the Azure Active Directory discoveries than using the nested group membership option on the Azure Resource, Exchange Online, or OneDrive discovery.This also helps to avoid collecting the same accounts in multiple discoveries.

Discovery Permission Requirements

The following sections outline the permission requirements for discoveries.

See also:
Detailed permissions for Enterprise Reporter discoveries
Permissions for Enterprise Reporter discoveries on NAS devices
Permissions for Enterprise Reporter tenant applications

Detailed permissions for Enterprise Reporter discoveries

The following table outlines the permissions required for Enterprise Reporter discoveries.

Table 30. Detailed permissions required for Enterprise Reporter discoveries
Discovery Type
Permissions Required for Discovery Credential

Active Directory

An account with Active Directory read permissions is required to collect domain information, trusts, sites, domain controllers, and Active Directory computers, users, groups, and organizational units.

The account being a member of the Built-in Domain Users group is sufficient to assign read permissions.

Azure Active Directory

An identity with read permission for the discovery target tenant. Read permissions are required for collection of tenant information, Azure Active Directory users, groups, group members, roles, and service principals.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter Azure application required for this discovery. See the Configuration Manager User Guide

Azure Resource

An identity with read permissions for the discovery target tenant. Read permissions are required for collection of subscription, Resource groups, and resources.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter Azure Resource application required for this discovery.

Computer

An account with local administrator access on the scope computers to collect computer information, local groups and users, printers, services, policies, and event logs.

Exchange

To collect from Exchange targets, the credential account must have a mailbox on the target organization with access to read the permissions on the targets through EWS.

To collect from Exchange 2013, 2016, or Mixed Modes, the credentials must be a member of the Organization Management Group.

To collect from Exchange 2016 or Exchange 2019, the credentials must have an administrator role with an assigned “ApplicationImpersonation” role.

Exchange Online

An account with access to the discovery target tenant.

Read permission is required for collection of all Exchange Online information including mailboxes, mailbox delegates, public folders, mail-enabled users, mail contacts, distribution groups, group members, and permissions.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as previously stated.

File Storage Analysis

An account with local administrator access on the scoped computer is required to collect file, folder, share, and home drive analysis data.

For permissions required when collecting NAS devices, see Permissions for Enterprise Reporter discoveries on NAS devices .

Microsoft SQL

An account with local administrator access on the SQL Server is required.

Additionally, the account must have read access to the scoped database to collect database information.

At a minimum, if not using fixed roles, the following SQL permissions are required on the securable object being used for collection.
Grant View Any Definition
Grant View Server State
Grant View Connect Any Database
Grant View Select All Securables

Microsoft Teams

The user credentials used to collect Microsoft Teams information must have either the Teams Administrator or Global Administrator permissions.

The user must also be a member of each Microsoft Teams group to prevent access denied errors during disk discovery.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter Microsoft Teams application required for this discovery.

NTFS

If collecting through the administrator share, an account with local administrator access to the scoped computer is required.

If collecting through a network share, an account with read permissions to the scoped shares is required.

For permissions required when collecting NAS devices, see Permissions for Enterprise Reporter discoveries on NAS devices .

OneDrive

An account with access to the discovery target tenant. Administrator permissions are required for collection of all drives including drive information, configuration settings, files, folders, and permissions. A SharePoint administrator role is recommended.

Additionally, the discovery credentials must have site collection administrator rights to each drive that is being collected.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter OneDrive application required for this discovery.

Registry

An account with local administrator access to the scoped computer is required to collect registry information.

SharePoint Online

An account with access to the discovery target tenant. Administrator permissions are required for collection of all SharePoint Online site collections, including tenant settings and policies, site information, and permissions. A SharePoint administrator role is recommended.

Additionally, the discovery credentials must have site collection administrator rights to each site collection that is being collected. If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter SharePoint Online application required for this discovery.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen