Service account configuration
Overview
ADAudit Plus instantly starts to audit activities upon providing Domain Admin credentials. If you do not want to provide Domain Admin credentials, follow the steps laid out in this guide to set-up the service account to have only the least privileges required for auditing your environment.
Note: If you want to configure multiple domains in ADAudit Plus, we recommend creating separate service accounts for each individual domain.
New user, group, and GPO creation
Create a new user
- Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Right click on your domain → New → User → Name the user as "ADAudit Plus".
Create a new group
- Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Right click on your domain → New → Group → Name the group as "ADAudit Plus Permission Group".
- Add all the audited computers as members of the "ADAudit Plus Permission Group":Right click on the "ADAudit Plus Permission Group" → Properties → Members → Add all the Domain Controllers, Windows servers and workstations that you wish to audit.
Create a new domain level GPO and link it to all the audited computers
Since configuring permissions on individual computers is an elaborate process, a domain level GPO is created and applied on all monitored computers.
- Log in to your Domain Controller with Domain Admin privileges.
- Create a new domain level GPO:
Open the Group Policy Management Console → Right click on your domain → Create a GPO in this domain and link it here → Name the GPO as"ADAudit Plus Permission GPO"
- Remove Apply group policy permission for Authenticated Users group:
Click on the "ADAudit Plus Permission GPO" → Navigate to the right panel, click on the Delegation tab → Advanced → Click on Authenticated Users → Remove the Apply group policy permission.
- Add the "ADAudit Plus Permission Group" to the security filter settings of the "ADAudit Plus Permission GPO":
Open the Group Policy Management Console → Domain → Select the "ADAudit Plus Permission GPO" → Navigate to the right panel, click on the Delegation tab → Advanced → Add "ADAudit Plus Permission Group" → Check Apply group policy.
Privileges/permissions required for event log collection
Grant the user the Manage auditing and security log right
The Manage auditing and security log right allows the user to define object level auditing.
- Log in to your Domain Controller with Domain Admin privileges→ Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
- In the Group Policy Management Editor → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment.
- Navigate to the right panel, right click on Manage auditing and security log → Properties →Add the "ADAudit Plus" user.
2. Make the user a member of the Event Log Readers group
Members of the event log readers group will be able to read the event logs of all the audited computers.
- For Domain Controllers :
Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Builtin Container → Navigate to the right panel, right click on Event Log Readers → Properties → Members →Add the "ADAudit Plus" user.
- For other computers (Windows servers and workstations):
a.Log in to your Domain Controller with Domain Admin privileges→ Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
b. In the Group Policy Management Editor → Computer Configuration →Preferences → Control Panel Settings → Right click on Local Users and Groups → New → Local Group → Select Event Log Readers group under group name → Add the "ADAudit Plus" user.
Note: To read the event logs, you also need to grant the "ADAudit Plus" user Read permission over HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security.
- Log in to your Domain Controller with Domain Admin privileges → Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
- In the Group Policy Management Editor → Computer Configuration → Policies → Windows Settings → Security Settings → Right-click Registry → Add Key.
- In the Select Registry Key Window, navigate to MACHINE → SYSTEM → CurrentControlSet → Services → EventLog → Security → Click OK → Grant Read permission to "ADAudit Plus" user → Click Apply.
- In the Add Object window, select Configure this key then → Replace existing permissions on all subkeys with inheritable permissions → Click OK.
Privileges/permissions required for automatic audit policy and object level auditing configuration
Privileges/permissions required for Domain Controller auditing configuration
Granting the service account the following privileges/permissions, allows ADAudit Plus to automatially configure the required audit policy and object level auditing settings in your environment. ADAudit Plus does this by pushing the required settings via GPO, to the group which contains all the monitored computers.
- Log in to your Domain Controller with Domain Admin privileges → Open the Group Policy Management Console → click on Default Domain Controllers Policy → Navigate to the right panel, click on the Delegation tab → Add the ADAudit Plus User → Provide permission to Edit settings.
Privileges/permissions required for member server, workstation, and file server auditing configuration
Make the user a member of the Group Policy Creator Owners group
- Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Click on Users → Navigate to the right panel, right click on Group Policy Creator Owners group → Add the "ADAudit Plus" user as a member.
Grant the user, group management permissions
- Log in to your Domain Controller with Domain Admin privileges → Open Active Directory User and Computers.
Click on View and ensure that Advanced Features is enabled. This will display the advanced security settings for selected objects in Active Directory Users and Computers.
- Right-click Users → Properties → Security → Advanced → Permissions → Add → In the Permissions Entry for Users window, Select a principal: ADAudit Plus user → Type: Allow → Applies to: This object and all descendant objects → Select permissions: Create Group objects and Delete Group objects.
Note: Use Clear all to remove all permissions and properties before selecting the mentioned permissions.
- From the Active Directory User and Computers console → Right-click Users → Properties → Security → Advanced → Permissions → Add → In the Permission Entry for Users window → Select a principal: ADAudit Plus user → Type: Allow → Applies to: Descendant Group objects → Select property: Write Members.
Note: Use Clear all to remove all permissions and properties before selecting the mentioned property.
Don't see what you're looking for?
-
Visit our community
Post your questions in the forum.
-
Request additional resources
Send us your requirements.
-
Need implementation assistance?
Try onboarding