What rights and permissions are required for Data Processing Account (Netwrix Auditor 7.0 and 8.0)

This article explains how to configure Data Processing Account used by Netwrix Auditor to collect audit data. It lists all required rights and permissions grouped by audited system.
Email It to Me Print this Page
Question What rights and permissions are required for the Data Processing Account that must be specified when creating a Managed Object in Netwrix Auditor?
Answer If you are using Netwrix Auditor 6.5, refer to the following article: Data Processing Account Rights and Permissions required for Netwrix Auditor 6.5.

The table below lists all rights and permissions that must be granted to Data Processing Account to ensure successful data collection:
 
Audited SystemRequired Rights and Permissions
Active DirectoryOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy must be defined for this account—is applied automatically
  • A member of the local Administrators group
In the target domain:
  • A member of the Domain Admins group / the Manage auditing and security log policy must be defined for this account
  • The Read rights to the Active Directory Deleted Objects container
  • If event logs autobackup is enabled: permissions to the following registry key on each domain controller in the target domain:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
AND
a member of one of the following groups: Administrators, Print OperatorsServer Operators
  • If event logs autobackup is enabled: the Share Read and Write permissions and the Security Full control permissions for the logs backup folder
ExchangeOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy defined for this account—is applied automatically
  • A member of the local Administrators group
In the target domain:
  • A member of the Domain Admins group / The Manage auditing and security log policy defined for this account
  • The Read rights on the Active Directory Deleted Objects container
  • The account must belong to the Organization Management or Records Management group / the Audit Logs management role must be assigned to this account (only required if the audited AD domain has an Exchange organization running Exchange 2010, 2013 or 2016).
  • If event logs autobackup is enabled: permissions to the following registry key on each DC in the target domain:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
AND
the member of one of the following groups: Administrators, Print Operators, Server Operators
  • If event logs autobackup is enabled: the Share Read and Write permissions and Security Full control permissions for the logs backup folder
Exchange OnlineOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • A member of the local Administrators group
In the Cloud:
  • To connect to Exchange Online, your personal Microsoft account must be assigned the following Exchange admin roles:
  • Audit logs
  • Mail Recipients
  • View-Only Configuration
Windows File ServersOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • A member of the local Administrators group
If the computer where the product is installed and the audited servers belong to different domains, the target computers must have accounts with the same name and password as the Data Processing Account. All these accounts must be assigned the local Administrators permissions.
On the target server:
  • The Manage auditing and security log policy must be defined for this account on a file server
  • The Read share permission on the audited shared folders
EMC IsilonOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy defined for this account—is applied automatically
  • A member of the local Administrators group
On the target server:
NOTE:
This is only required if you are going to configure EMC Isilon for auditing
manually.
  • A member of the BUILTIN\Administrators group
  • The Read permissions on to the audited shared folders
  • The Read permissions on to the folder where audit events are logged (/ifs/.ifsvar/audit/)
  • To connect to EMC Isilon, an account must be assigned a custom role (e.g., netwrix_audit) that has the following privileges:
Platform API (ISI_PRIV_LOGIN_PAPI)readonly
Auth (ISI_PRIV_AUTH)readonly
Audit (ISI_PRIV_AUDIT)      readonly
Backup (ISI_PRIV_IFS_BACKUP)readonly

Note: An account used to connect to a cluster put into compliance mode must comply with some specific requirements.
EMC Celerra/
VNX/VNXe
On the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy defined for this account—is applied automatically
  • A member of the local Administrators group
On the target server:
  • The Read share permissions on to the audited shared folders
  • A member of local Administrators group
NetApp FilerOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy defined for this account—is applied automatically
  • A member of the local Administrators group
On the target server:
  • The Read share permission on the audited shared folders
  • To connect to NetApp Data ONTAP 7 or Data ONTAP 8 in 7-mode, an account must have the following capabilities:
    • login-http-admin
    • api-vfiler-list-info
    • api-volume-get-root-name 
    • api-system-cli
    • api-options-get
    • cli-cifs
  • To connect to NetApp Clustered Data ONTAP 8, an account must be assigned a custom role on SVM that has the following capabilities with access query levels:
versionreadonly
volumereadonly
vserver audit  readonly
vserver audit rotate-log  all
vserver cifs share     readonly

Note: You can also assign the builtin vsadmin role.
  • If you want to authenticate with AD user account, you must enable it to access SVM through ONTAPI. The credentials are case sensitive.
SharePointOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a service policy must be defined for this account
  • A member of the local Administrators group
  • A member of the Domain Users group
On the target server:
  • A member of the local Administrators group on SharePoint server, where the Core Service will be deployed
  • The SharePoint_Shell_Access role on the SharePoint SQL Server configuration database
SQL ServerOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy defined for this account
  • A member of the local Administrators group
On the target server:
  • The System Administrator role on the target SQL Server
If the computer where the product is installed and the audited SQL Server belong to different domains, the audited servers must have accounts with the same name and password as the Data Processing Account. This account must be granted the System Administrator role on the audited SQL Server and be a member of the local Administrators group on the computer where the product is installed.
VMwareOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy defined for this account
  • A member of the local Administrators group
On the target server:
  • At least Read-only role on the audited hosts
Windows Server
(including DNS)
On the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy defined for this account
  • A member of the local Administrators group
If the computer where the product is installed and the audited servers belong to different domains, the target computers must have accounts with the same name and password as the Data Processing Account. All these accounts must be assigned the local Administrators permissions.
On the target server:
  • The Manage auditing and security log policy must be defined for this account
Event Log
(including Cisco,
IIS)
On the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy defined for this account
On the target server:
  • A member of the local Administrators group
Group PolicyOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy defined for this account
In the target domain:
  • A member of the Domain Admins group / the Manage auditing and security log policy must be defined for this account
  • The Read rights to the Active Directory Deleted Objects container
  • If event logs autobackup is enabled: permissions to the following registry key on each domain controller in the target domain:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
AND
a member of one of the following groups: Administrators, Print OperatorsServer Operators
  • If event logs autobackup is enabled: the Share Read and Write permissions and the Security Full control permissions for the logs backup folder
Inactive UsersOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Log on as a batch job policy must be defined for this account
OIn the target domain:
  • A member of the Domain Admins group
Logon ActivityOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • A member of the local Administrators group
In the target domain:
  • If network traffic compression disabled: the Manage auditing and security log policy must be defined for this account
  • If network traffic compression enabled: the account must belong to the Domain Admins group
  • The account must belong to one of the following domain groups: Backup Operators or Server Operators (only if the account is not a member of the Domain Admins group).
Password ExpirationOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Log on as a batch job policy must be defined for this account
  • A member of the local Administrators group
In the target domain:
  • A member of the Domain Users group
User ActivityOn the computer where Netwrix Auditor Administrator Console is installed:
  • The Write permission on the folder where the Long-Term Archive is going to be stored (by default C:\ProgramData\Netwrix Auditor\Data)
  • The Change share permission and the Create files / Write data folder permission on file shares where report subscriptions will be saved
NOTE: Subscriptions created in the Netwrix Auditor client are uploaded to file servers under the Default Data Processing Account.
  • The Log on as a batch job policy defined for this account
  • A member of the local Administrators group
  • The Write permission for the product logs

For detailed instructions on how to configure these rights and permissions, refer to the Netwrix Auditor Installation and Configuration Guide.
Was this information helpful?