In addition to the permissions required for the hybrid agent, the service account (which the Collect Active Directory object data action uses) must be a member of the Domain Admins group for the following pre-defined vulnerabilities and any vulnerabilities created using the same template.

• Domain Controller is running SMBv1 protocol

• Printer Spooler service is enabled on a domain controller

• DNS zone configuration allows anonymous record updates

For the vulnerability gMSA root key access, the account must be a member of the Domain Admins or Enterprise Admins group.

If the required permission is not granted, Assessment results for these vulnerabilities will return as Inconclusive.