Chat now with support
Chat with Support

Enterprise Reporter 3.2.2 - Configuration Manager User Guide

Product Overview Understanding Discoveries Creating Discoveries
Step 1. Create the Discovery Step 2. Choose what to include in your discovery (Scopes) Step 2a. Choose scopes for your discoveries
Choosing your Active Directory Scopes Choosing your Computer Scopes Choosing Your Exchange Scopes Choosing Your File Storage Analysis Scopes Choosing Your Microsoft SQL Scopes Choosing Your NTFS Scopes Choosing Your Registry Scopes
Step 2b: Choose scopes for your Office 365 discoveries Step 3. Schedule your Discovery Step 4: Review the summary
Managing Discoveries Configuring the Configuration Manager
Starting the Configuration Manager Finding Answers and Getting Help An Overview of Enterprise Reporter Communications and Credentials Required Logged In User Details Setting Up Your First Collection Computers Modifying your Deployment Improving the Performance of Your Discoveries What does the status of a node or cluster indicate? Using the Credential Manager Changing the Credentials used by the Enterprise Reporter Server Configuring Global Settings Global Discovery Settings
Troubleshooting Issues with Enterprise Reporter Appendix: PowerShell cmdlets Appendix: Encryption Key Manager Appendix: Log Viewer

Finding Answers and Getting Help

When using Enterprise Reporter, you can press F1 from any screen for help. The documentation included with Enterprise Reporter will open and display the section of documentation most relevant to the screen you are viewing.

The Help menu provided in Enterprise Reporter also addresses frequently asked questions related to the screen you are viewing. Clicking on a any of the topics provided will display the related section of documentation.

See also:

Enterprise Reporter also provides a tool for searching knowledge articles and community discussions.

1
Click the link for Online Support in the header bar of the console.
2
Select whether to search Knowledge Articles, Community Discussions, or both.
4
Press Enter or click the search icon.

An Overview of Enterprise Reporter Communications and Credentials Required

There are many communication channels in Enterprise Reporter, involving different sets of credentials. This allows for controlled access to your environment, but you must understand where each set of credentials are used, and what permissions they need.

Figure 4 outlines where and for what each of the credentials are used, and the following tables explain the necessary permissions. For information on managing the credentials used in the Configuration Manager, see Using the Credential Manager .

Technical Documentation.

 

Topics:  

Node Credential and Alternate Credential Details for On-Premises Discoveries

Node credentials are provided when a discovery node is created, and you can modify them as needed. By default, the node’s credentials are used to enumerate scopes and access on-premises targets.

If you want to use different credentials for a particular discovery, you can configure them in the Discovery Wizard. By using these alternate credentials, you can target anything on-premises for which you have credentials, in any domain. You can minimize the permissions given to node credentials, and use alternate credentials for scoping and collecting your on-premises discoveries.

The following table outlines the use of the node and alternate credentials, and how to properly configure your environment to ensure successful data collection:

Discovery Node

Enterprise Reporter Server

Provide server with job status, errors, statistics and logs.

Configured during node creation, or when you edit the node properties to change the credentials.

The node credentials must have local administrator access to the host computer and be a member of the group “Reporter_Discovery_Nodes”.

Discovery Node

Shared Data Location (if the cluster is configured to use one)

Read and write to the shared data location during data collection.

The shared data location is configured during the creation of a cluster. Ensure the node has read and write access to this file share. For more information, see Things to Consider Before Creating a Cluster .

Technical Documentation.

 

Discovery Node

Enterprise Reporter Database

There are two options for communicating with the database:

1. You can use the same service credentials that the node service uses.

2. You can specify SQL credentials only for use when the database is accessed.

The credentials you choose must be able to read and write to the database.

The account must be in the Reporter_Discovery_Nodes security group. (Note that if you use the same account as the Enterprise Reporter server it is already permissioned appropriately). For more information, see Role Based Security in Enterprise Reporter and Configuring the Database in the Quest Enterprise Reporter Installation and Deployment Guide in the Technical Documentation.

If you use SQL authentication to connect with the database, you must manually permission the SQL user, either by adding them to the database role Discovery_Nodes_Role or by permissioning specific tables in the database.

Discovery Node

Targets

Read access on all targets.

For on-premises discoveries, all domains with which the credentials have a forest or domain level trust will be enumerated.

If required, you can configure alternate credentials for specific discoveries, instead of using the default node credentials.

 

The targets are defined as part of a discovery. The discovery tasks are assigned to a particular node based on availability, so all nodes in a cluster should have access to all targets defined in all discoveries assigned to the node’s cluster.

For on-premises discoveries, ensure the node credentials or alternate credentials have read access to the target. In addition, a trust is required between the node computer and the targets.

For more information on Azure and Office 365 Discoveries, see Detailed Permissions for Enterprise Reporter Discoveries .

 

Detailed Permissions for Enterprise Reporter Discoveries

The following table outlines the permissions required for Enterprise Reporter discoveries.

Active Directory

An account with Active Directory read permissions is required to collect domain information, trusts, sites, domain controllers, and Active Directory computers, users, groups, and organizational units.

The account being a member of the Built-in Domain Users group is sufficient to assign read permissions.

Azure Active Directory

An identity with read permission for the discovery target tenant. Read permissions are required for collection of tenant information, Azure Active Directory users, groups, group members, roles, and service principals.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter Azure application required for this discovery. For more information, see Using the Tenant Application Manager .

Azure Resource

An identity with read permissions for the discovery target tenant. Read permissions are required for collection of subscription, Resource groups, and resources.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter Azure Resource application required for this discovery. For more information, see Using the Tenant Application Manager .

Computer

An account with local administrator access on the scope computers to collect computer information, local groups and users, printers, services, policies, and event logs.

Exchange

To collect from Exchange targets, the credential account must have a mailbox on the target organization with access to read the permissions on the targets through EWS.

To collect from Exchange 2013, 2016, or Mixed Modes, the credentials must be a member of the Organization Management Group.

To collect from Exchange 2016 or Exchange 2019, the credentials must have an administrator role with an assigned “ApplicationImpersonation” role.

Exchange Online

An account with access to the discovery target tenant.

Read permission is required for collection of all Exchange Online information including mailboxes, mailbox delegates, public folders, mail-enabled users, mail contacts, distribution groups, group members, and permissions.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

File Storage Analysis

An account with local administrator access on the scoped computer is required to collect file, folder, share, and home drive analysis data.

For permissions required when collecting NAS devices, see Permissions for Enterprise Reporter Discoveries on NAS Devices .

Microsoft SQL

An account with local administrator access on the SQL Server is required.

Additionally, the account must have read access to the scoped database to collect database information.

At a minimum, if not using fixed roles, the following SQL permissions are required on the securable object being used for collection.

Microsoft Teams

An identity with read permissions for the discovery target tenant. Read permissions are required for collection of Microsoft Teams information including teams, members, channels, applications, and drives.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter Microsoft Teams application required for this discovery. For more information, see Using the Tenant Application Manager .

NTFS

If collecting through the administrator share, an account with local administrator access to the scoped computer is required.

If collecting through a network share, an account with read permissions to the scoped shares is required.

For permissions required when collecting NAS devices, see Permissions for Enterprise Reporter Discoveries on NAS Devices .

OneDrive

An account with access to the discovery target tenant. Administrator permissions are required for collection of all drives including drive information, configuration settings, files, folders, and permissions. A SharePoint administrator role is recommended.

Additionally, the discovery credentials must have site collection administrator rights to each drive that is being collected.

If additional credentials are being specified to minimize Azure throttling limitations, these credentials must have the same permissions as stated above.

Also refer to credentials required to create and consent to the Enterprise Reporter OneDrive application required for this discovery. For more information see Using the Tenant Application Manager .

Technical Documentation.

 

Registry

An account with local administrator access to the scoped computer is required to collect registry information.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating