Set the minimum permissions for the Active Administrator agent on 2008 Domain Controllers
In some environments is not permissible to use an account in the administrator group to run the Active Administrator Agent service. This document will show how to configure a regular domain user account with the minimum required permissions to run the Active Administrator Agent service on 2008 DC’s.
The primary function of the Active Administrator Agent is to read the security logs on a Domain Controller and regular domain users do not have this permission so it has to be explicitly granted. 2008 DC’s include a Built-in group called “Event Log Readers”, and members of this group will have permission to read security logs on the local machine. The first step is to add the Agent service account to this group, (figure 1).
Since the Active Administrator Agent is a Windows Service, the account that runs the service must have permission to log on as a service. This permission must also be granted to the Agent service account. To do this open the Local Group Policy Editor on the domain controller. Click the Start Menu > Administrative Tools > Local Security policy. Select the “User Rights Assignment” node in the left pane and double click “Logon as a service”. Add the agent service account to the list, (figure 2).
The Agent Service also requires permission to write events to the SQL database, this permission is granted to a local (on the SQL Server), or domain group called AA_Admin. This group is created by the database wizard during creation of the Active Administrator database. The Agent service account should be added to this group, (figure 3).
The agent service account also requires Full Control permission to the Active Administrator Agent Service install path “C:\Windows\SLAgent”, (figure 4 & 5).