What rights and permissions are required for Data Processing Account (Netwrix Auditor 6.5 and below)

This article explains how to configure Data Processing Account used by Netwrix Auditor 6.5 to collect audit data. It lists all required rights and permissions grouped by audited system.
Email It to Me Print this Page
Question What rights and permissions are required for the Data Processing Account that must be specified when creating a Managed Object in Netwrix Auditor 6.5 and below?
Answer The table below lists all rights and permissions required for all Netwrix Auditor features:
 
Audited SystemRequired Rights and Permissions
Active Directory
  • A member of the Domain Admins group/ The Manage auditing and security log policy defined for this account
  • The Log on as a batch job policy must be defined for this account - is applied automatically
  • A member of the local Administrators group on the computer where the product is installed
  • The Read rights to the Active Directory Deleted Objects container
  • If event logs autobackup is enabled: permissions to the following registry key on each DC in the target domain: HKLM\System\CurrentControlSet\Services\EventLog\Security + the member of one of the following groups: Administrators, Print Operators, Server Operators
  • If event logs autobackup is enabled: the Share Read and Write permissions and the Security Full control permissions for the logs backup folder
  • The Database owner role*
  • The Content Manager role on the  SSRS Home folder
Group Policy
  • A member of the Domain Admins group/ The Manage auditing and security log policy defined for this account
  • The Log on as a batch job policy must be defined for this account - is applied automatically
  • A member of the local Administrators group on the computer where the product is installed
  • The Read rights to the Active Directory Deleted Objects container
  • If event logs autobackup is enabled: permissions to the following registry key on each DC in the target domain: HKLM\System\CurrentControlSet\Services\EventLog\Security+ the member of one of the following groups: Administrators, Print Operators, Server Operators
  • If event logs autobackup is enabled: the Share Read and Write permissions and the Security Full control permissions for the logs backup folder
  • The Database owner role*
  • The Content Manager role on the  SSRS Home folder
EMC Storage
  • A  member of the local Administrators group
  • If the computer where the product is installed and monitored servers belong to different domains, the target computers must have accounts with the same name and password as the Data Processing Account. All these account must be assigned the local administrator permissions.
  • The Log on as a batch job policy must be defined for this account
  • The Manage auditing and security log policy enabled
  • The Database owner role*
  • Read access to the monitored shared folders
  • The Content Manager role on the  SSRS Home folder
Event Logs
  • A member of the Domain Admins group
  • The Log on as a batch job policy must be defined for this account - is applied automatically
  • The Database owner role*
  • The Content Manager role on the  SSRS Home folder
Exchange
  • A member of the Domain Admins group/ The Manage auditing and security log policy defined for this account
  • The Log on as a batch job policy must be defined for this account - is applied automatically
  • The account must belong to the Organization Management or the Records Management group / the Audit Logs management role must be assigned to this account (only required if the monitored AD domain has an Exchange organization running MS Exchange Server 2010).
  • The Read rights to the Active Directory Deleted Objects container
  • If event logs autobackup is enabled: permissions to the following registry key on each DC in the target domain: HKLM\System\CurrentControlSet\Services\EventLog\Security + the member of one of the following groups: Administrators, Print Operators, Server Operators
  • If event logs autobackup is enabled: the Share Read and Write permissions and the Security Full control permissions for the logs backup folder
  • The Database owner role*
  • The Content Manager role on the  SSRS Home folder
Inactive User Tracking
  • A member of the Domain Admins group
  • The Log on as a batch job policy must be defined for this account - is applied automatically
Mailbox Access
  • A member of  the Domain Admins group (to monitor several Exchange Servers in the domain where  is installed) / A member of the Enterprise Admins group (to audit Exchange Servers in different domains belonging to the same forest)
NetApp Filer
  • A  member of the local Administrators group
  • If the computer where the product is installed and monitored servers belong to different domains, the target computers must have accounts with the same name and password as the Data Processing Account. All these account must be assigned the local Administrator permissions.
  • The Log on as a batch job policy must be defined for this account
  • The Manage auditing and security log policy enabled
  • The Database owner role*
  • Read access to the monitored shared folders
  •  NetApp Filer account should have the following capabilities:
    • login-http-admin
    • api-system-cli
    • api-options-get
    • cli-cifs
  • The Content Manager role on the  SSRS Home folder
Password Expiration Alerting
  • A member of the Domain Users group
  • A  member of the local Administrators group
  • The Log on as a batch job policy must be defined for this account - is applied automatically
SharePointRequired for Netwrix Auditor to function properly:
  • A  member of the local Administrators group
  • A  member of the Domain Users group
  • The Log on as a service policy must be defined for this account - is applied automatically
  • The Database owner role*
  • The Content Manager role on the  SSRS Home folder
Required for the automatic installation of  Netwrix Auditor Agent for SharePoint:
  • A member of the local Administrators group on SharePoint server, where the agent will be deployed
  • The SharePoint_Shell_Access role on the SharePoint SQL Server configuration database
SQL Server
  • A  member of the local Administrators group
  • The Log on as a batch job policy must be defined for this account - is applied automatically
  • The System Administrator on the target SQL Server
  • The Database owner role*
  • The Content Manager role on the  SSRS Home folder
User Activity Video Recording
  • A  member of the local Administrators group
  • The Log on as a batch job policy must be defined for this account - is applied automatically
  • The Write permissions for the product logs and the Audit Archive folder
  • Administrator rights on the target computers
  • The Database owner role*
  • The Content Manager role on the  SSRS Home folder
VMware
  • A  member of the local Administrators group
  • At least Read-only role on the monitored server(s)
  • The "Log on as a batch job" policy must be defined for this account - is applied automatically
  • The Database owner role*
  • The Content Manager role on the  SSRS Home folder
Windows File Servers
  • A  member of the local Administrators group
  • If the computer where the product is installed and monitored servers belong to different domains, the target computers must have accounts with the same name and password as the Data Processing Account. All these account must be assigned the local Administrator permissions.
  • The Log on as a batch job policy must be defined for this account- is applied automatically
  • The Manage auditing and security log policy enabled
  • The Database owner role*
  • Read access to the monitored shared folders
  • The Content Manager role on the  SSRS Home folder
Windows Server
  • A  member of the local Administrators group
  • If the computer where the product is installed and monitored servers belong to different domains, the target computers must have accounts with the same name and password as the Data Processing Account. All these account must be assigned the local Administrator permissions.
  • The Manage auditing and security log policy enabled
  • The Log on as a batch job policy must be defined for this account  - is applied automatically
  • The Database owner role*
  • The Content Manager role on the  SSRS Home folder
 
*Only required if this account will be used to access the product-specific SQL database with audit data.
 
For detailed instructions on how to configure these rights and permissions, refer to the Netwrix Auditor Installation and Configuration Guide.
Was this information helpful?