Return
-
Title
What are the services privilege requirements? -
Description
What are the services privilege requirements? -
Resolution
The Domain Administrator account provides the necessary permissions for the various Active Administrator services to operate properly.
When choosing an account, keep these requirements in mind:
- Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. For more detailed permission requirements, see Active Administrator module requirements.
- Active Administrator Data Services (ADS) requires an account that is a member of the AA_Users group, has read access to the enterprise, and has full access on the server where the Active Directory Health Analyzer agent is installed. For more detailed permission requirements, see Active Administrator Data Services (ADS) requirements.
- Active Administrator Advanced Auditing runs as the Local System account, regardless of the user account configured for the Active Administrator Agent service.
- Active Administrator Agent can run under a Domain User account provided it is a local administrator account, which gives it the rights to log on as a service, log on locally and manage auditing and security log. The user account should also be a member of the AA_Admin group, which by default is located in the Local groups of the server where the ActiveAdministrator database is located. If the group is not found in this location, the settings during the initial database creation were modified and it can be found under the Users container object of Active Directory.
- Active Administrator Agent can run under a non-domain admin user account if the following permissions are set.
To set up a non-domain admin user account- Create a Domain User account within Active Directory Users and Computers.
- Use Group Policy Management console (GPMC) to edit the Default Domain Controller Group Policy Object. Give the user account User Rights to Manage auditing and security log.
- On the target domain controllers, give the user account Read permission to the registry key: HKLM\System\CurrentControlSet\Services\Eventlog\Security.
- After the agent is installed, verify the user account has Write permission on the folder: C:\Windows\SLAgent.
NOTE: For more detailed instructions, see https://support.quest.com/active-administrator/kb/4316887/how-to-configure-a-non-domain-admin-audit-agent-service-account .- Active Administrator Notification service needs to have access to the database.