| Audited System | Required Rights and Permissions |
| Active Directory | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy must be defined for this account—is applied automatically
- A member of the local Administrators group
In the target domain:
- A member of the Domain Admins group / the Manage auditing and security log policy must be defined for this account
- The Read rights to the Active Directory Deleted Objects container
- If event logs autobackup is enabled: permissions to the following registry key on each domain controller in the target domain:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
AND
a member of one of the following groups: Administrators, Print Operators, Server Operators
- If event logs autobackup is enabled: the Share Read and Write permissions and the Security Full control permissions for the logs backup folder
|
| Exchange | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy defined for this account—is applied automatically
- A member of the local Administrators group
In the target domain:
- A member of the Domain Admins group / The Manage auditing and security log policy defined for this account
- The Read rights on the Active Directory Deleted Objects container
- The account must belong to the Organization Management or Records Management group / the Audit Logs management role must be assigned to this account (only required if the audited AD domain has an Exchange organization running Exchange 2010, 2013 or 2016).
- If event logs autobackup is enabled: permissions to the following registry key on each DC in the target domain:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
AND
the member of one of the following groups: Administrators, Print Operators, Server Operators
- If event logs autobackup is enabled: the Share Read and Write permissions and Security Full control permissions for the logs backup folder
|
| Exchange Online | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- A member of the local Administrators group
In the Cloud:
- To connect to Exchange Online, your personal Microsoft account must be assigned the following Exchange admin roles:
- Audit logs
- Mail Recipients
- View-Only Configuration
|
| Windows File Servers | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- A member of the local Administrators group
If the computer where the product is installed and the audited servers belong to different domains, the target computers must have accounts with the same name and password as the Data Processing Account. All these accounts must be assigned the local Administrators permissions.
On the target server:
- The Manage auditing and security log policy must be defined for this account on a file server
- The Read share permission on the audited shared folders
|
| EMC Isilon | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy defined for this account—is applied automatically
- A member of the local Administrators group
On the target server:
NOTE:This is only required if you are going to configure EMC Isilon for auditing
manually.
- A member of the BUILTIN\Administrators group
- The Read permissions on to the audited shared folders
- The Read permissions on to the folder where audit events are logged (/ifs/.ifsvar/audit/)
- To connect to EMC Isilon, an account must be assigned a custom role (e.g., netwrix_audit) that has the following privileges:
| Platform API (ISI_PRIV_LOGIN_PAPI) | readonly | | Auth (ISI_PRIV_AUTH) | readonly | | Audit (ISI_PRIV_AUDIT) | readonly | | Backup (ISI_PRIV_IFS_BACKUP) | readonly |
Note: An account used to connect to a cluster put into compliance mode must comply with some specific requirements. |
EMC Celerra/
VNX/VNXe | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy defined for this account—is applied automatically
- A member of the local Administrators group
On the target server:
- The Read share permissions on to the audited shared folders
- A member of local Administrators group
|
| NetApp Filer | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy defined for this account—is applied automatically
- A member of the local Administrators group
On the target server:
- The Read share permission on the audited shared folders
- To connect to NetApp Data ONTAP 7 or Data ONTAP 8 in 7-mode, an account must have the following capabilities:
- login-http-admin
- api-vfiler-list-info
- api-volume-get-root-name
- api-system-cli
- api-options-get
- cli-cifs
- To connect to NetApp Clustered Data ONTAP 8, an account must be assigned a custom role on SVM that has the following capabilities with access query levels:
| version | readonly | | volume | readonly | | vserver audit | readonly | | vserver audit rotate-log | all | | vserver cifs share | readonly |
Note: You can also assign the builtin vsadmin role.
- If you want to authenticate with AD user account, you must enable it to access SVM through ONTAPI. The credentials are case sensitive.
|
| SharePoint | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a service policy must be defined for this account
- A member of the local Administrators group
- A member of the Domain Users group
On the target server:
- A member of the local Administrators group on SharePoint server, where the Core Service will be deployed
- The SharePoint_Shell_Access role on the SharePoint SQL Server configuration database
|
| SQL Server | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy defined for this account
- A member of the local Administrators group
On the target server:
- The System Administrator role on the target SQL Server
If the computer where the product is installed and the audited SQL Server belong to different domains, the audited servers must have accounts with the same name and password as the Data Processing Account. This account must be granted the System Administrator role on the audited SQL Server and be a member of the local Administrators group on the computer where the product is installed. |
| VMware | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy defined for this account
- A member of the local Administrators group
On the target server:
- At least Read-only role on the audited hosts
|
Windows Server
(including DNS) | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy defined for this account
- A member of the local Administrators group
If the computer where the product is installed and the audited servers belong to different domains, the target computers must have accounts with the same name and password as the Data Processing Account. All these accounts must be assigned the local Administrators permissions.
On the target server:
- The Manage auditing and security log policy must be defined for this account
|
Event Log
(including Cisco,
IIS) | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy defined for this account
On the target server:
- A member of the local Administrators group
|
| Group Policy | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy defined for this account
In the target domain:
- A member of the Domain Admins group / the Manage auditing and security log policy must be defined for this account
- The Read rights to the Active Directory Deleted Objects container
- If event logs autobackup is enabled: permissions to the following registry key on each domain controller in the target domain:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
AND
a member of one of the following groups: Administrators, Print Operators, Server Operators
- If event logs autobackup is enabled: the Share Read and Write permissions and the Security Full control permissions for the logs backup folder
|
| Inactive Users | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Log on as a batch job policy must be defined for this account
OIn the target domain:
- A member of the Domain Admins group
|
| Logon Activity | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- A member of the local Administrators group
In the target domain:
- If network traffic compression disabled: the Manage auditing and security log policy must be defined for this account
- If network traffic compression enabled: the account must belong to the Domain Admins group
- The account must belong to one of the following domain groups: Backup Operators or Server Operators (only if the account is not a member of the Domain Admins group).
|
| Password Expiration | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Log on as a batch job policy must be defined for this account
- A member of the local Administrators group
In the target domain:
- A member of the Domain Users group
|
| User Activity | On the computer where Netwrix Auditor Administrator Console is installed:
- The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
- The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
- The Log on as a batch job policy defined for this account
- A member of the local Administrators group
- The Write permission for the product logs
|
