Permissions for Logon Activity Auditing
Before creating a monitoring plan to audit the Logon Activity in your domain, determine the domain account for data collection.
When selecting the domain account, consider the following:
- If network traffic compression is enabled, the account must belong to the Domain Admins group.
- If network traffic compression is disabled, the account can belong to the Domain Admins group or be a non-administrative account configured with minimum rights (see Configure Account to Collect Logon Activity).
- For the data collection account, use a different account than the one Auditor uses to access the database.
- If you use a group Managed Service Account (gMSA), the data collection account must be a member of the local Administrators group on the Netwrix Auditor host.
Configure Account to Collect Logon Activity
This section explains how to configure an account to collect Logon Activity with minimum rights. These instructions apply only if you disable network traffic compression in the monitoring plan and don't want to automatically adjust audit settings.
NOTE: If the account is a member of the Domain Admins group, you can skip these steps.
Step 1 – Create a domain user with the following privileges:
- Back up files and directories. See the Configure the Back up Files and Directories Policy topic for additional information.
- Access this computer from the network. See the Configure Access this computer from the network Policy topic for additional information.
- Manage auditing and security log. See the Configure the Manage Auditing and Security Log Policy topic for additional information.
Step 2 – Grant the Read permission on the following registry keys to this user:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winregHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
See the Assign Permission To Read the Registry Key topic for instructions on using Registry Editor to assign permissions.