Data Collecting Account

This is a service account that Netwrix Auditor uses to collect audit data from the monitored items (domains, OUs, servers, etc.). Netwrix recommends creating a dedicated service account for that purpose. Depending on the data source your monitoring plan will process, the account must meet the corresponding requirements (see the table below).

NOTE: If you are going to enable integration with Netwrix Data Classification (NDC Provider), additional server roles must be assigned to the account. See For NDC Provider for more information.

For more information about NDC provider, refer to the following section: NDC Provider

Starting with version 9.96, you can use group Managed Service Account (gMSA) as data collecting account. Currently, the following data sources are supported: Active Directory (also for Group Policy and Logon Activity), Windows Server, File Server (currently for Windows File Servers), SQL Server, SharePoint.

For more details about gMSA usage, see Using Group Managed Service Account (gMSA).

The gMSA should also meet the related requirements (see the table below).

Data source Required rights and permissions:

Active Directory

For Active Directory Auditing

Active Directory Federation Services

For AD FS Auditing

Azure AD, Exchange Online, SharePoint Online

For Office 365 and Azure AD Auditing


For Exchange Auditing

Windows File Servers

For Windows File Server Auditing

EMC Isilon

For EMC Isilon Auditing


For EMC VNX/VNXe/Unity Auditing


For NetApp Auditing

Nutanix Files

For Nutanix Files Auditing

Network Devices

For Network Devices Auditing

Oracle Database

For Oracle Database Auditing


For SharePoint Auditing

SQL Server

For SQL Server Auditing


For VMware Server Auditing

Windows Server (including DNS and DHCP)

For Windows Server Auditing

Event Log (including IIS)—collected with Event Log Manager

For Event Log Auditing

Group Policy

For Group Policy Auditing

Logon Activity

For Logon Activity Auditing

Inactive Users in Active Directory—collected with Inactive User Tracker

Password Expiration in Active Directory—collected with Password Expiration Notifier

User Activity

NDC Provider

For NDC Provider