Before you start creating a monitoring plan to audit the logon activity in your domain, plan for the account that will be used for data collection – it should meet the requirements listed below. Then you will provide this account in the monitoring plan wizard.
In the target domain:
Depending on the network traffic compression setting you need to use, one of the following is required:
- If network traffic compression is enabled, then the account must belong to the Domain Admins group
- If network traffic compression is disabled, and the account you plan to use for data collection is not a member of the Domain Admins group, then the Manage auditing and security log policy must be defined for this account.
See Configuring 'Manage Auditing and Security Log' Policy for more information.
Membership in the Backup Operators group (if the account you plan to use for data collection is not a member of the Domain Admins group).
- Read permission to access the following registry keys on the domain controllers in the target domain:
See Assigning Permission To Read the Registry Key for more information.