For Active Directory Auditing

Before you start creating a monitoring plan to audit your Active Directory, plan for the account that will be used for data collection – it should meet the requirements listed in this section. Then you will provide this account in the monitoring plan wizard (or in the monitored item settings).

Starting with version 9.96, you can use group Managed Service Accounts (gMSA) as data collecting accounts.

NOTE: For more information on gMSA, refer to Using Group Managed Service Account (gMSA) and to Microsoft documentation.

These group Managed Service Accounts should also meet the related requirements.

In the target domain:

  1. Do you plan to use network traffic compression for data processing?

    • If network traffic compression will be enabled, then the account must belong to the Domain Admins group

      NOTE: If you need granular rights to be assigned instead, please contact Netwrix Technical support.

    • If network traffic compression will be disabled, and the account you plan to use for data collection is not a member of the Domain Admins group, then the Manage auditing and security log policy must be defined for this account.
      See Configuring 'Manage Auditing and Security Log' Policy for more information.
  2. Do you need to process Active Directory Deleted Objects container?
  3. If yes, then Read permission on this container is required. See Granting Permissions for 'Deleted Objects' Container for more information.

    NOTE: Grant this permission only if the account you plan to use for data collection is not a member of the Domain Admins group

  4. Is auto-backup enabled for the domain controller event logs?

    If yes, then the following is required:

    1. Permissions to access the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security registry key on the domain controllers in the target domain. See Assigning Permission To Read the Registry Key for more information.
    2. Membership in any of the following groups: Administrators, Print Operators, Server Operators
    3. Read/Write share permission and Full control security permission on the logs backup folder
  5. NOTE: Grant these permissions only if the account you plan to use for data collection is not a member of the Domain Admins group.

  6. If you have an on-premises Exchange server in your Active Directory domain, consider that some changes can be made via that Exchange server. To be able to audit and report who made those changes, you should make sure that the account used for data collection has any of the following:

    • Membership in the Organization Management or Records Management group


    Also, you will need to configure Exchange Administrator Audit Logging (AAL) settings, as described in the Configure Exchange Administrator Audit Logging Settingssection.

NOTE: If you are using gMSA for data collection, consider that AAL event data collection from your on-premise Exchange server will not be possible.

Thus, changes made to your Active Directory domain via that Exchange server will be reported with domain\Exchange_server_name$ instead of the initiator (user) name in the "Who" field of reports, search results and activity summaries.