Rights and permissions required for the Netwrix Auditor - Active Directory account

service account rights permissions
Email It to Me Print this Page
Question What rights and permissions are required for the account under which the Netwrix Auditor - Active Directory is running?
Answer The following rights and permissions are required:

1. The account under which the Netwrix Auditor - Active Directory scheduled task will run must have:
  1. The local administrator's rights (*) on the machine where the product is installed
  2. Sufficient permissions to query the entire Active Directory Schema (in most cases Domain user is enough) 
  3. Manage auditing and security log user right enabled on all DCs (if the product is run under a Domain Administrator account, this right is be enabled by default). This is necessary to be able to collect and report on objects' security changes. Adjust the Domain Controller Security Policy accordingly
  4. Content Manager role for the Home folder on SSRS. (**)
  5. db_owner role for the product SQL database

2. The account you will use to view reports in the Reports Manager must have the Browser role for the Home folder on SSRS. (**)

3. If you are going to collect data using agents, the account under which the Netwrix Auditor - Active Directory is running must be a member of the Domain Administrators group. (**)

4. If you are going to use Active Directory Restore Object Wizard and the Audit Configuration Wizard, the account must be a member of the Domain administrators group.

(*) Local administrator rights could be replaced with the following permissions:
  • Full Control to the C:\ProgramData\Netwrix folder
  • Full Control to the C:\Program files (x86)\Netwrix folder (C:\Program files\Netwrix for x86 systems)
  • Full Control to the C:\Windows\Tasks folder
  • Full Control to the C:\Program Files (x86)\Common Files\NetWrix folder (C:\Program Files\Common Files\NetWrix for x86 systems)
  • Full Control to the HKLM\SOFTWARE\Wow6432Node registry key
  • Log on as a service policy right
  • Log on as a batch job policy right
(**) - Applicable to the product's Enterprise Edition only.
 
Was this information helpful?