Go Up
You are here: DeploymentConfigure Netwrix Auditor Service AccountsData Collecting AccountFor Exchange Auditing

For Exchange Auditing

Before you start creating a monitoring plan to audit your Exchange server, plan for the account that will be used for data collection – it should meet the requirements listed below. Then you will provide this account in the monitoring plan wizard.

  1. Depending on the network traffic compression setting you need to use, one of the following is required:

    • If network traffic compression is enabled, then the account must belong to the Domain Admins group

      NOTE: If you need granular rights to be assigned instead, please contact Netwrix Technical support.

    • If network traffic compression is disabled, and the account you plan to use for data collection is not a member of the Domain Admins group, then the Manage auditing and security log policy must be defined for this account.
      See Configuring 'Manage Auditing and Security Log' Policy for more information.
  2. If you plan to process Active Directory Deleted Objects container, Read permission on this container is required. See Granting Permissions for 'Deleted Objects' Container for more information.
  3. NOTE: Grant this permission only if the account you plan to use for data collection is not a member of the Domain Admins group

  4. If auto-backup is enabled for the domain controller event logs, then the following is required:

    1. Permissions to access the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security registry key on the domain controllers in the target domain. See Assigning Permission To Read the Registry Key for more information.
    2. Membership in one of the following groups: Administrators, Print Operators, Server Operators
    3. Read/Write share permission and Full control security permission on the logs backup folder

NOTE: Grant these permissions only if the account you plan to use for data collection is not a member of the Domain Admins group.

Also, if the AD domain has an Exchange organization running Exchange 2010, 2013, or 2016, then:

Go Up