4. Privileges/permissions required for file server auditing

4.1 Make the user a member of the Power Users group

Members of the Power Users group will be able to discover shares residing on Windows file servers.

  • Log in to your Domain Controller with Domain Admin privileges → Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
  • In the Group Policy Management Editor → Computer Configuration → Preferences → Control Panel Settings → Right click on Local Users and Groups → Add Local Group.
  • In the New Local Group Properties wizard, select Update under Action → Select Power Users group under group name → Add the "ADAudit Plus" user.

3.2 Grant the user Group Management permissions

  • Log in to your Domain Controller with Domain Admin privileges → Open Active Directory User and Computers → Right click on Users → Properties → Security → Advanced → Add "ADAudit Plus" user → Grant Create Group objects and Delete Group Objects permissions.

  • Right click on group ADAuditPlusFS → Properties → Managed By → Add "ADAudit Plus" user.
  • Right click on group ADAuditPlusWS → Properties → Managed By → Add "ADAudit Plus" user.

4.2 Grant the user Read permission on all audited shares

There are two ways to grant the user Read permission on all the audited shares-

  • Make the user a Member of the Local Adminsitrators group.
    • Login to any computer with Domain Admin privileges → Open MMC console → File → Add/Remove Snap-in → Select Local Users and Groups → Add → Another computer → Add target computer
    • Select target computer → Open Local Users and Groups → Select Groups → Right click on administrators → Properties → Add "ADAudit Plus" user.
    • Repeat the above steps for every audited Windows file server/cluster.

  • Grant the user both Share and NTFS, Read permission on every audited share.
    • Login to any computer with Domain Admin privileges → Open MMC console → File → Add/Remove Snap-in → Select Shared Folders → Add → Another computer → Add target computer
    • Select target computer → Select share → Right click → Properties → Security → Edit → Add the "ADAudit Plus" user → Provide both Share and NTFS, Read permission.
    • Repeat the above steps for every audited share.

    4.3 Grant the user DCOM and WMI permissions

    Note: DCOM and WMI permissions are needed for file cluster auditing and WMI mode of event collection, respectively.

    • Granting DCOM permission:
      • Log in to any computer with Domain Admin privileges → Open Component Services → Connect to target computer → Right click on target computer → Properties → COM Security.
      • Navigate to Launch and Activation Permissions → Edit Limits → Security Limits → Add the "ADAudit Plus" user and grant all permissions.
      • Repeat the steps for every audited computer.

    • Granting WMI permission:
      • Log in to any computer with a Domain Admin privileges → Run wmimgmt.msc → Right click on WMI Control → Connect to target computer.
      • Right click on WMI Control (target computer) → Properties → Security → CIMV2 → Security → Add the "ADAudit Plus" user and grant all permissions.
      • Repeat the steps for every audited computer.

Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine
Get download link