Chat now with support
Chat with Support

Active Administrator 8.4 - Installation Guide

Installation Considerations for Active Administrator Installing and configuring Active Administrator

Data collectors requirements

The Active Directory Health module uses the Active Directory Health Analyzer agents to monitor domain controllers and presents data for you to troubleshoot issues. For the Active Directory Health Analyzer agents to acquire the necessary data, certain permissions and access are required for the Active Directory Health Analyzer agent startup account. See the Quest® Active Administrator® User Guide for more information on the Active Directory Health Analyzer agent.

To capture all data collectors accessible by the Active Directory Health Analyzer, the startup account for the Active Directory Health Analyzer agent must:

To see the specific requirements for each data collector, see Appendix A in the Quest® Active Administrator® User Guide.

Auditing & Alerts

For all Active Administrator® modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Auditing & Alerts module.

NOTE: To assign roles in Active Administrator, select Configuration | Role Based Access | New. See Defining role-based access in the Quest® Active Administrator® User Guide for detailed information.

Auditing & Alert Landing Page

Must have any of these Active Administrator roles: Audit Report Management, Audit Report Viewer, Alert Editor or Alert Viewer.

Must be a member of the AA_Users group.

Audit Reports

Must have the Active Administrator Report Viewer role to view reports.

Must have the Active Administrator Report Management role to manage reports.

Must be a member of the AA_Admins group.

Archives

Must have the Active Administrator Report Viewer role to view reports.

Must have the Active Administrator Report Management role to manage reports.

Must be a member of the AA_Admins group.

Agents

Must have the Active Administrator Full Control role.

Must be a member of the AA_Admins group and have full access to the target server.

The agent account must have read access to the security log on the target domain controller and be a member of the AA_Admins group.

Auditing Alerts

Must have the Active Administrator Report Viewer role to view alerts and alert history.

Must have the Active Administrator Alert Editor role to manage alerts.

Must be a member of the AA_Admins group.

Event Definitions

Must have the Active Administrator Full Control role.

Must be a member of the AA_Admins group.

Archive & Purging

Must have the Active Administrator Full Control role.

Must be a member of the AA_Admins group.

Group Policy

For all Active Administrator® modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Group Policy module.

NOTE: To assign roles in Active Administrator, select Configuration | Role Based Access | New. See Defining role-based access in the Quest® Active Administrator® User Guide for detailed information.

Group Policy Landing Page

Must have one of these Active Administrator roles: Group Policy Object Management, Group Policy History, or Group Policy Repository.

Must have read access to all group policies objects in the selected domains.

Must have read access to the GPORepository, GPOBackups, and RSOPPlanning folders in the Active Administrator share.

Group Policy Objects

Must have the Active Administrator Group Policy Management role.

To view GPOs, must have read access to all GPO objects in the selected domain.

To create, edit, or delete GPOs, must have the appropriate permissions on the selected GPO.

To link or unlink a GPO, must have the appropriate permissions on the target.

To backup GPOs, must have read access to the selected GPO and read/write access to the GPOBackup folder in the Active Administrator share.

To add to the repository, must have full control access to the selected GPO, including SysVol and the System/Policies in Active Directory®. Must also have read/write access to the GPORepository folder in the Active Administrator share.

Group Policy by Container

Must have the Active Administrator Group Policy Management role.

To view GPOs and GPO modeling, must have read access to all GPO objects in the selected domain.

To create, edit, delete, block, and unblock GPOs, must have the appropriate permissions on the selected GPO.

To link, unlink, or change link order, must have the appropriate permissions on the target.

To create a new OU, must have the appropriate permissions in the selected OU.

N/A

GPO Settings Search

Must have the Active Administrator Group Policy Management role.

Must have read access to the GPOBackup, GPOCache, GPORepository, and GPOHistory folders in the Active Administrator share.

Must have read access to the all of the GPOs in the managed domains.

GPO History

Must have the Active Administrator Group Policy History role.

Must have read/write access to the GPOHistory folder in the Active Administrator share and read access to all GPOs in the managed domains.

To rollback GPOs, must have full control on the selected GPO.

GPO Repository

Must have the Active Administrator Group Policy Repository role.

To add, edit, remove, check out, check in, or discard, must have full control access to the selected GPO including the SysVol and the System/Policies in Active Directory®.

Must have read/write access to the GPORepository folder in the Active Administrator share.

GPO Modeling

Must have the Active Administrator Group Policy Management role.

Must have read access to the entire directory to run the simulation.

Must have read/write access to the RSOPPlanning folder in the Active Administrator share.

GPO Backup

Must have the Active Administrator Group Policy Management role.

Must have read/write access to the GPOBackup folder in the Active Administrator share.

Must have read access to the selected GPO.

Client-side troubleshooting

Must have the Active Administrator Group Policy Management role.

Must have full access to the target computer.

N/A

Purge GPO History

Must have the Active Administrator Full Control role.

Must have read/write access to the GPOHistory folder in the Active Administrator share.

Active Directory Recovery

For all Active Administrator® modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Active Directory Recovery module.

NOTE: To assign roles in Active Administrator, select Configuration | Role Based Access | New. See Defining role-based access in the Quest® Active Administrator® User Guide for detailed information.

Recovery Landing Pages

Must have the Active Administrator Recovery role.

Must be a member of the AA_Users group.

Object Recovery

Must have the Active Administrator Recovery role.

To perform a restore, must have full access to the target and read access to the ADBackups folder in the Active Administrator share.

Must have read/write access to the ADBackups folder.

Must have read access to the entire domain.

Purge AD Backups

Must have the Active Administrator Recovery role.

Must be a member of the AA_Users group.

Must have read/write access to the ADBackups folder in the Active Administrator share.

Active Directory Infrastructure Landing Page

Must have any of these Active Administrator roles: Site Management or Trust Management.

User must have read access to the entire forest.

Must be a member of the AA_Users group.

Active Directory Sites

Must have the Active Administrator Site Management role.

Must have read access to view all sites, subnets and site links in the forest.

To create, edit or delete sites, subnets and site links, must have enterprise access.

N/A

Replication Monitoring

Must have the Active Administrator Site Management role.

Must be a member of the AA_Admins group.

Must have read access to the entire forest.

Replication Analyzer

Must have the Active Administrator Site Management role.

Must have read access to the entire forest.

N/A

Active Directory Trust

Must have the Active Administrator Trust Management role.

To view trusts, must have read access to the entire forest.

To add, edit, or delete trusts, must have the appropriate permissions in the target domain.

N/A

Related Documents