Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Migration

 

ADAudit Plus Service Account Configuration

ADAudit Plus instantly starts to audit activities upon providing Domain Admin credentials. If you do not want to provide Domain Admin credentials, follow the steps laid out in this guide to set-up the service account to have only the least privileges required for auditing your environment.

  • 1.New user, group, and GPO creation
    1.1 Create a new user
    • Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Right click on your domain → New → User → Name the user as "ADAudit Plus".
    1.2 Create a new group
    • Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Right click on your domain → New → Group → Name the group as "ADAudit Plus Permission Group".
    • Add all the audited computers as members of the "ADAudit Plus Permission Group":Right click on the "ADAudit Plus Permission Group" → Properties → Members → Add all the Domain Controllers, Windows servers and workstations that you wish to audit.
    1.3 Create a new domain level GPO and link it to all the audited computers

    Since configuring permissions on individual computers is an elaborate process, a domain level GPO is created and applied on all monitored computers.

    • Log in to your Domain Controller with Domain Admin privileges.
    • Create a new domain level GPO:
    • Open the Group Policy Management Console → Right click on your domain → Create a GPO in this domain and link it here → Name the GPO as"ADAudit Plus Permission GPO"

    • Remove Apply group policy permission for Authenticated Users group:
    • Click on the "ADAudit Plus Permission GPO" → Navigate to the right panel, click on the Delegation tab → Advanced → Click on Authenticated Users → Remove the Apply group policy permission.

    • Add the "ADAudit Plus Permission Group" to the security filter settings of the "ADAudit Plus Permission GPO":
    • Open the Group Policy Management Console → Domain → Select the "ADAudit Plus Permission GPO" → Navigate to the right panel, click on the Delegation tab → Advanced → Add "ADAudit Plus Permission Group".

    active-directory-audit-newusergroup-gpo- creation
  • 2. Privileges/permissions required for event log collection
    2.1 Grant the user the Manage auditing and security log right

    The Manage auditing and security log right allows the user to define object level auditing.

    • Log in to your Domain Controller with Domain Admin privileges→ Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
    • In the Group Policy Management Editor → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment.
    • Navigate to the right panel, right click on Manage auditing and security log → Properties →Add the "ADAudit Plus" user.
    active-directory-audit-privileges-permissions-required-for-event-log-collection
    2.2 Make the user a member of the Event Log Readers group

    Members of the event log readers group will be able to read the event logs of all the audited computers.

    • For Domain Controllers :
    • Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Builtin Container → Navigate to the right panel, right click on Event Log Readers → Properties → Members →Add the "ADAudit Plus" user.

      active-directory-audit-event-log-readers-group
    • For other computers (Windows servers and workstations):
    • a.Log in to your Domain Controller with Domain Admin privileges→ Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.

      b. In the Group Policy Management Editor → Computer Configuration →Preferences → Control Panel Settings → Right click on Local Users and Groups → New → Local Group → Select Event Log Readers group under group name → Add the "ADAudit Plus" user.

      active-directory-audit-local-usersgroup
  • 3. Privileges/permissions required for automatic audit policy and object level auditing configuration
    3.1 Privileges/permissions required for Domain Controller auditing configuration

    Granting the service account the following privileges/permissions, allows ADAudit Plus to automatially configure the required audit policy and object level auditing settings in your environment. ADAudit Plus does this by pushing the required settings via GPO, to the group which contains all the monitored computers.

    • Log in to your Domain Controller with Domain Admin privileges → Open the Group Policy Management Console → click on Default Domain Controllers Policy → Navigate to the right panel, click on the Delegation tab → Add the ADAudit Plus User → Provide permission to Edit settings, delete, modify security.
    • active-directory-audit-group-policy-creatorsowners-group
    3.2 Privileges/permissions required for member server, workstation, and file server auditing configuration
    3.2.1 Make the user a member of the Group Policy Creator Owners group
    • Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Click on Users → Navigate to the right panel, right click on Group Polciy Creator Owners group → Add the "ADAudit Plus" user as a member.
    • active-directory-audit-group-policy-creatorsowners-group
    3.2.2 Grant the user, group management permissions
    • Log in to your Domain Controller with Domain Admin privileges → Open Active Directory User and Computers.
    • Click on View and ensure that Advanced Features is enabled. This will display the advanced security settings for selected objects in Active Directory Users and Computers.

    • Right click on Users → Properties → Security → Advanced → Auditing → Add → In the Auditing Entry window, Select a principal: ADAudit Plus user → Type: Success → Applies to: This object and all descendant objects → Select permissions: Create group objects and Delete group objects.
    • Note: Use Clear all to remove all permissions and properties before selecting the mentioned permissions.

      active-directory-audit-grant-the-user-group-management-permissions
    • From the Active Directory User and Computers console → Right click on Users → Properties → Security → Advanced → Auditing → Add → In the Auditing Entry window → Select a principal: ADAudit Plus user → Type: Success → Applies to: Descendant group objects → Select property: Write members.
    • Note: Use Clear all to remove all permissions and properties before selecting the mentioned property.

      Grant the user, group management permissions
  • 4. Privileges/permissions required for file server auditing
    4.1 Make the user a member of the Power Users group

    Members of the Power Users group will be able to discover shares residing on Windows file servers.

    • Log in to your Domain Controller with Domain Admin privileges → Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
    • In the Group Policy Management Editor → Computer Configuration → Preferences → Control Panel Settings → Right click on Local Users and Groups → Add Local Group.
    • In the New Local Group Properties wizard, select Update under Action → Select Power Users group under group name →Add the "ADAudit Plus" user.
    active-directory-audit-make-the-power-users-group
    4.2 Grant the user Read permission on all audited shares

    There are two ways to grant the user Read permission on all the audited shares-

    • Make the user a Member of the Local Adminsitrators group.
    • a. Login to any computer with Domain Admin privileges→ Open MMC console → File → Add/Remove Snap-in → Select Local Users and Groups → Add → Another computer → Add target computer

      b. Select target computer → Open Local Users and Groups → Select Groups → Right click on administrators → Properties →Add "ADAudit Plus" user.

      c.Repeat the above steps for every audited Windows file server/cluster.

      active-directory-audit-grant-the-user-read-permission-on-audited-shares
    • Grant the user both Share and NTFS, Read permission on every audited share.
    • a. Login to any computer with Domain Admin privileges → Open MMC console → File → Add/Remove Snap-in → Select Shared Folders → Add → Another computer → Add target computer

      b.Select target computer → Select share → Right click → Properties → Security → Edit →Add the "ADAudit Plus" user → Provide both Share and NTFS, Read permission.

      c.Repeat the above steps for every audited share.

    active-directory-audit-grant-the-user-read-permission-on-audited-shares-2
    4.3 Grant the user DCOM and WMI permissions

    Note: DCOM and WMI permissions are needed for file cluster auditing and WMI mode of event collection, respectively.

    • Granting DCOM permission:
    • a. Log in to any computer with Domain Admin privileges → Open Component Services → Connect to target computer → Right click on target computer → Properties → COM Security.

      b.Navigate to Launch and Activation Permissions → Edit Limits → Security Limits →Add the "ADAudit Plus" user and grant all permissions.

      c.Repeat the steps for every audited computer.

      active-directory-audit-grant-user-dcom-wmi-permissions
    • Granting WMI permission:
    • a.Log in to any computer with a Domain Admin privileges→ Run wmimgmt.msc → Right click on WMI Control → Connect to target computer.

      b. Right click on WMI Control (target computer) → Properties → Security → CIMV2 → Security → Add the "ADAudit Plus" user and grant all permissions.

      c.Repeat the steps for every audited computer.

      active-directory-audit-security-root
  • 5.Other privileges/permissions required
    • Grant the user Read permission over the SYSVOL folder:
    • Full control over the SYSVOL folder is needed for GPO Settings change auditing.
      Log in to your Domain Controller with Domain Admin privileges → Locate the SYSVOL folder → Right click → Properties → Security → Edit →Add the "ADAudit Plus" user → Provide both Share and NTFS, Read permission.

      active-directory-audit-other-privileges-permissions-required
    • Grant the user Full control over the product installation folder
    • Full control over the product installation folder is needed for ADAudit Plus to write in the database.

      Log in to the computer where ADAudit Plus is installed with Domain Admin privileges→ Locate the product installation folder → Right click → Properties → Security → Edit →Add the "ADAudit Plus" user and provide full control.

    • Grant the user Full control over ADAudit Plus' archive folder:
    • Full control over the archive folder is needed for storing and retrieving archived data from the database.

      To find out the location of the Archive Folder:Open ADAudit Plus → Admin → Archive Events → Scroll down to see the location.

      active-directory-audit-other-privileges-permissions-required-2

      Log in to target computer with Domain Admin privileges → Locate the folder → Right click on the folder → Properties → Security → Edit →Add the ADAudit Plus User → Provide both Share and NTFS, Full control permission.

    • Grant the user Full control over all ADAudit Plus Scheduled Reports folders:
    • Full control over a Scheduled Reports folder is needed for saving the scheduled report in the specified location.

      To find out the location of a Scheduled Reports Folder: Open ADAudit Plus → Admin → Schedule Reports → Modify Schedule Report → Scroll down to see the location.

      Log in to target computer with Domain Admin privileges → Locate the folder → Right click on folder → Properties → Security → Edit →Add the ADAudit Plus User → Provide both Share and NTFS, Full control permission.Repeat the steps on all Schedule Reports folders.

    • Grant the user Read and Execute permission over all ADAudit Plus' Alert Script folders:
    • Read and Execute permissions on a alert script folder is needed for executing script files once an alert gets triggered.

      To find out the location of a Folder:Open ADAudit Plus → Configuration → Modify Alert Profile → Scroll down to see the location.

      Log in to target computer with Domain Admin privileges → Locate the folder → Right click on folder → Properties → Security → Edit → Add the ADAudit Plus User → Provide both share and NTFS, Read and Execute permissions.Repeat the steps on all Alert Script folders.

ADAudit Plus Trusted By

A single pane of glass for complete Active Directory Auditing and Reporting