Go Up
You are here: ConfigurationConfigure Netwrix Auditor Service AccountsData Collecting AccountFor Exchange Auditing

For Exchange Auditing

Before you start creating a monitoring plan to audit your Exchange server, plan for the account that will be used for data collection – it should meet the requirements listed below. Then you will provide this account in the monitoring plan wizard (or in the monitored item settings).

Starting with version 9.96, you can use group Managed Service Accounts (gMSA) as data collecting accounts. For more information on gMSA, refer to Using Group Managed Service Account (gMSA)Microsoft documentation.These group Managed Service Accounts should meet the related requirements.

  1. Depending on the network traffic compression setting you need to use, one of the following is required:

    • If network traffic compression is enabled, then the account must belong to the Domain Admins group

      NOTE: If you need granular rights to be assigned instead, please contact Netwrix Technical support.

    • If network traffic compression is disabled, and the account you plan to use for data collection is not a member of the Domain Admins group, then the Manage auditing and security log policy must be defined for this account.
      See Configuring 'Manage Auditing and Security Log' Policy for more information.
  2. If you plan to process Active Directory Deleted Objects container, Read permission on this container is required. See Granting Permissions for 'Deleted Objects' Container for more information.
  3. NOTE: Grant this permission only if the account you plan to use for data collection is not a member of the Domain Admins group

  4. If auto-backup is enabled for the domain controller event logs, then the following is required:

    1. Permissions to access the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security registry key on the domain controllers in the target domain. See Assigning Permission To Read the Registry Key for more information.
    2. Membership in one of the following groups: Administrators, Print Operators, Server Operators
    3. Read/Write share permission and Full control security permission on the logs backup folder

NOTE: Grant these permissions only if the account you plan to use for data collection is not a member of the Domain Admins group.

Also, if the AD domain has an Exchange organization running Exchange 2019, 2016, 2013 or 2010, then:

  • the account must belong to the Organization Management or Records Management group (see Adding Account to 'Organization Management' Group for more information)


  • Several management roles assigned: Audit Logs role, View-only Configuration role, Mail Recipients role, and Monitoring role (see Assigning Management Roles for more information on how to perform role assignment)

Go Up