What rights and permissions are required for the account under which the Netwrix Auditor – Active Directory is running?
The following rights and permissions are required:
1. The account under which the Netwrix Auditor – Active Directory scheduled task will run must have:
- The local administrator's rights (*) on the machine where the product is installed
- Sufficient permissions to query the entire Active Directory Schema (in most cases Domain user is enough)
- Manage auditing and security log user right enabled on all DCs (if the product is run under a Domain Administrator account, this right is be enabled by default). This is necessary to be able to collect and report on objects' security changes. Adjust the Domain Controller Security Policy accordingly
- Content Manager role for the Home folder on SSRS. (**)
- db_owner role for the product SQL database
2. The account you will use to view reports in the Reports Manager must have the Browser role for the Home folder on SSRS. (**)
3. If you are going to collect data using agents, the account under which the Netwrix Auditor – Active Directory is running must be a member of the Domain Administrators group. (**)
4. If you are going to use Active Directory Restore Object Wizard and the Audit Configuration Wizard, the account must be a member of the Domain administrators group.
(*) Local administrator rights could be replaced with the following permissions:
- Full Control to the C:ProgramDataNetwrix folder
- Full Control to the C:Program files (x86)Netwrix folder (C:Program filesNetwrix for x86 systems)
- Full Control to the C:WindowsTasks folder
- Full Control to the C:Program Files (x86)Common FilesNetWrix folder (C:Program FilesCommon FilesNetWrix for x86 systems)
- Full Control to the HKLMSOFTWAREWow6432Node registry key
- Log on as a service policy right
- Log on as a batch job policy right
(**) – Applicable to the product's Enterprise Edition only.