Privileges/permissions required for file server auditing

Make the user a member of the Power Users group

Members of the Power Users group will be able to discover shares residing on Windows file servers.

• Log in to your Domain Controller with Domain Admin privileges → Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
• In the Group Policy Management Editor → Computer Configuration → Preferences → Control Panel Settings → Right click on Local Users and Groups → Add Local Group.
• In the New Local Group Properties wizard, select Update under Action → Select Power Users group under group name →Add the "ADAudit Plus" user.

Grant the user Read permission on all audited shares

There are two ways to grant the user Read permission on all the audited shares-

• Make the user a Member of the Local Administrators group.

  • Login to any computer with Domain Admin privileges→ Open MMC console → File → Add/Remove Snap-in → Select Local Users and Groups → Add → Another computer → Add target computer
  • Select target computer → Open Local Users and Groups → Select Groups → Right click on administrators → Properties →Add "ADAudit Plus" user.
  • c.Repeat the above steps for every audited Windows file server/cluster.



• Grant the user both Share and NTFS, Read permission on every audited share.

  • Login to any computer with Domain Admin privileges → Open MMC console → File → Add/Remove Snap-in → Select Shared Folders → Add → Another computer → Add target computer
  • Select target computer → Select share → Right click → Properties → Security → Edit →Add the "ADAudit Plus" user → Provide both Share and NTFS, Read permission.
  • Repeat the above steps for every audited share.

Grant the user DCOM and WMI permissions

Note: DCOM and WMI permissions are also needed for file cluster auditing.

• Granting DCOM permission:

  • Log in to any computer with Domain Admin privileges → Open Component Services → Connect to target computer → Right click on target computer → Properties → COM Security.
  • Navigate to Launch and Activation Permissions → Edit Limits → Security Limits → Add the "ADAudit Plus" user and grant the following permissions:
  • Local Launch
  • Remote Launch
  • Local Activation
  • Remote Activation.
  • Repeat the steps for every audited computer.



• Granting WMI permission:

  • Log in to any computer with Domain Admin privileges → Run wmimgmt.msc → Right click on WMI Control (Local) → Connect to target computer.
  • Right click on WMI Control (target computer) → Properties → Security → +Root → CIMV2 → Security → Add the "ADAudit Plus" user and grant the following permissions:
    • Execute Methods
    • Enable Account
    • Remote Enable
  • Click OK.

    

  • Navigate to +Root → +RSOP → Computer → Security → Add the "ADAudit Plus" user and grant the following permissions:
    • Execute Methods
    • Enable Account
    • Remote Enable
  • Click OK.

    

  • Repeat the steps for every audited computer.

    Note: If multiple computers are audited, you may prefer automating the above process by running a script through Group Policy. Please contact support@adauditplus.com for more details.

Grant the user read permission over the c$ share (\\server_name\C$):

Note: Read permission over C$ share (\\server_name\C$) is needed to access NetApp C-Mode log files.