1. Privileges/permissions required for Domain Controller auditing configuration
Granting the service account the following privileges/permissions, allows ADAudit Plus to automatially configure the required audit policy and object level auditing settings in your environment. ADAudit Plus does this by pushing the required settings via GPO, to the group which contains all the monitored computers.
- Log in to your Domain Controller with Domain Admin privileges → Open the Group Policy Management Console → click on Default Domain Controllers Policy → Navigate to the right panel, click on the Delegation tab → Add the ADAudit Plus User → Provide permission to Edit settings, delete, modify security.
2. Privileges/permissions required for member server, workstation, and file server auditing configuration
2.1 Make the user a member of the Group Policy Creator Owners group
- Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Click on Users → Navigate to the right panel, right click on Group Polciy Creator Owners group → Add the "ADAudit Plus" user as a member.
2.2 Grant the user, group management permissions
- Log in to your Domain Controller with Domain Admin privileges → Open Active Directory User and Computers.
Click on View and ensure that Advanced Features is enabled. This will display the advanced security settings for selected objects in Active Directory Users and Computers.
- Right-click Users → Properties → Security → Advanced → Permissions → Add → In the Permissions Entry for Users window, Select a principal: ADAudit Plus user → Type: Allow → Applies to: This object and all descendant objects → Select permissions: Create Group objects and Delete Group objects.
Note: Use Clear all to remove all permissions and properties before selecting the mentioned permissions.
- From the Active Directory User and Computers console → Right-click Users → Properties → Security → Advanced → Permissions → Add → In the Permission Entry for Users window → Select a principal: ADAudit Plus user → Type: Allow → Applies to: Descendant Group objects → Select property: Write Members.
Note: Use Clear all to remove all permissions and properties before selecting the mentioned property.
