What rights and permissions are required for Data Processing Account (Netwrix Auditor 7.0 and 8.0)

Active Directory
Event Log Management
Exchange
File Server
Group Policy
Inactive User Tracker
Logon Activity
Password Expiration Notifier
Setup and Configuration
SharePoint
SQL Server
User Activity Video Recording
VMware
Windows Server
7.0-8.5
https://kb.netwrix.com/722
Copy Article URL Copied

What rights and permissions are required for the Data Processing Account that must be specified when creating a Managed Object in Netwrix Auditor?


If you are using Netwrix Auditor 6.5, refer to the following article: Data Processing Account Rights and Permissions required for Netwrix Auditor 6.5.

The table below lists all rights and permissions that must be granted to Data Processing Account to ensure successful data collection:
 

Audited System Required Rights and Permissions
Active Directory On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy must be defined for this account—is applied automatically
  • A member of the local Administrators group

In the target domain:

  • A member of the Domain Admins group / the Manage auditing and security log policy must be defined for this account
  • The Read rights to the Active Directory Deleted Objects container
  • If event logs autobackup is enabled: permissions to the following registry key on each domain controller in the target domain:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventLogSecurity
AND
a member of one of the following groups: Administrators, Print OperatorsServer Operators

  • If event logs autobackup is enabled: the Share Read and Write permissions and the Security Full control permissions for the logs backup folder
Exchange On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy defined for this account—is applied automatically
  • A member of the local Administrators group

In the target domain:

  • A member of the Domain Admins group / The Manage auditing and security log policy defined for this account
  • The Read rights on the Active Directory Deleted Objects container
  • The account must belong to the Organization Management or Records Management group / the Audit Logs management role must be assigned to this account (only required if the audited AD domain has an Exchange organization running Exchange 2010, 2013 or 2016).
  • If event logs autobackup is enabled: permissions to the following registry key on each DC in the target domain:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventLogSecurity
AND
the member of one of the following groups: Administrators, Print Operators, Server Operators

  • If event logs autobackup is enabled: the Share Read and Write permissions and Security Full control permissions for the logs backup folder
Exchange Online On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • A member of the local Administrators group

In the Cloud:

  • To connect to Exchange Online, your personal Microsoft account must be assigned the following Exchange admin roles:
  • Audit logs
  • Mail Recipients
  • View-Only Configuration
Windows File Servers On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • A member of the local Administrators group

If the computer where the product is installed and the audited servers belong to different domains, the target computers must have accounts with the same name and password as the Data Processing Account. All these accounts must be assigned the local Administrators permissions.
On the target server:

  • The Manage auditing and security log policy must be defined for this account on a file server
  • The Read share permission on the audited shared folders
EMC Isilon On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy defined for this account—is applied automatically
  • A member of the local Administrators group

On the target server:
NOTE:
This is only required if you are going to configure EMC Isilon for auditing
manually.

  • A member of the BUILTINAdministrators group
  • The Read permissions on to the audited shared folders
  • The Read permissions on to the folder where audit events are logged (/ifs/.ifsvar/audit/)
  • To connect to EMC Isilon, an account must be assigned a custom role (e.g., netwrix_audit) that has the following privileges:
Platform API (ISI_PRIV_LOGIN_PAPI) readonly
Auth (ISI_PRIV_AUTH) readonly
Audit (ISI_PRIV_AUDIT)       readonly
Backup (ISI_PRIV_IFS_BACKUP) readonly

Note: An account used to connect to a cluster put into compliance mode must comply with some specific requirements.

EMC Celerra/
VNX/VNXe
On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy defined for this account—is applied automatically
  • A member of the local Administrators group

On the target server:

  • The Read share permissions on to the audited shared folders
  • A member of local Administrators group
NetApp Filer On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy defined for this account—is applied automatically
  • A member of the local Administrators group

On the target server:

  • The Read share permission on the audited shared folders
  • To connect to NetApp Data ONTAP 7 or Data ONTAP 8 in 7-mode, an account must have the following capabilities:
    • login-http-admin
    • api-vfiler-list-info
    • api-volume-get-root-name 
    • api-system-cli
    • api-options-get
    • cli-cifs
  • To connect to NetApp Clustered Data ONTAP 8, an account must be assigned a custom role on SVM that has the following capabilities with access query levels:
version readonly
volume readonly
vserver audit   readonly
vserver audit rotate-log   all
vserver cifs share     readonly

Note: You can also assign the builtin vsadmin role.

  • If you want to authenticate with AD user account, you must enable it to access SVM through ONTAPI. The credentials are case sensitive.
SharePoint On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a service policy must be defined for this account
  • A member of the local Administrators group
  • A member of the Domain Users group

On the target server:

  • A member of the local Administrators group on SharePoint server, where the Core Service will be deployed
  • The SharePoint_Shell_Access role on the SharePoint SQL Server configuration database
SQL Server On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy defined for this account
  • A member of the local Administrators group

On the target server:

  • The System Administrator role on the target SQL Server

If the computer where the product is installed and the audited SQL Server belong to different domains, the audited servers must have accounts with the same name and password as the Data Processing Account. This account must be granted the System Administrator role on the audited SQL Server and be a member of the local Administrators group on the computer where the product is installed.

VMware On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy defined for this account
  • A member of the local Administrators group

On the target server:

  • At least Read-only role on the audited hosts
Windows Server
(including DNS)
On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy defined for this account
  • A member of the local Administrators group

If the computer where the product is installed and the audited servers belong to different domains, the target computers must have accounts with the same name and password as the Data Processing Account. All these accounts must be assigned the local Administrators permissions.
On the target server:

  • The Manage auditing and security log policy must be defined for this account
Event Log
(including Cisco,
IIS)
On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy defined for this account

On the target server:

  • A member of the local Administrators group
Group Policy On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy defined for this account

In the target domain:

  • A member of the Domain Admins group / the Manage auditing and security log policy must be defined for this account
  • The Read rights to the Active Directory Deleted Objects container
  • If event logs autobackup is enabled: permissions to the following registry key on each domain controller in the target domain:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventLogSecurity
AND
a member of one of the following groups: Administrators, Print OperatorsServer Operators

  • If event logs autobackup is enabled: the Share Read and Write permissions and the Security Full control permissions for the logs backup folder
Inactive Users On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Log on as a batch job policy must be defined for this account

OIn the target domain:

  • A member of the Domain Admins group
Logon Activity On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • A member of the local Administrators group

In the target domain:

  • If network traffic compression disabled: the Manage auditing and security log policy must be defined for this account
  • If network traffic compression enabled: the account must belong to the Domain Admins group
  • The account must belong to one of the following domain groups: Backup Operators or Server Operators (only if the account is not a member of the Domain Admins group).
Password Expiration On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Log on as a batch job policy must be defined for this account
  • A member of the local Administrators group

In the target domain:

  • A member of the Domain Users group
User Activity On the computer where Netwrix Auditor Administrator Console is installed:

  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:ProgramDataNetwrix AuditorData)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved

NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.

  • The Log on as a batch job policy defined for this account
  • A member of the local Administrators group
  • The Write permission for the product logs

For detailed instructions on how to configure these rights and permissions, refer to the Netwrix Auditor Installation and Configuration Guide.

Go Up