Configure Non-Administrative Account to Collect Logon Activity

This section contains instructions on how to configure an account to collect Logon Activity with minimum rights assignment. The instructions below apply only if you are going create a monitoring plan with disabled network traffic compression and do not want to adjust audit settings automatically. Do the following:

Before creating an account, grant the Read permission on the SECURITY registry key (HKEY_LOCAL_MACHINE\SECURITY) for an admin account under which you will make changes in Group Policy.

Do the following:

  1. Create a domain user with the following privileges:

  2. Grant the Read permission on the following registry keys to this user:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

    Refer to Assigning Permission To Read the Registry Key for detailed instructions on how to do it using Registry Editor.