ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

What permissions are required by the domain controller agent user on the Domain Controller?

book

Article ID: 238929

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

The domain controller agent queries Windows Events in the Microsoft Active Directory security event log of the domain controller. When installing the domain controller agent we have to mention an Active Directory user that the domain controller agent uses to query the domain controller.

Domain Admin privileges will work but many organizations are not comfortable giving such high privileges and want to know what specific permissions are required for the user on the Domain Controller?

Environment

DLP 15.x

Resolution

The user needs to be part of the "Event Log Readers" group on the Domain Controller. This will only allow the user to read the events and not have any domain admin privileges. 

1. Log in to Domain Controller which you specified when installing the domain controller agent
2. On the Domain Controller, open "Active Directory Users and Computers"
3. Go to Builtin > Event Log Readers.


4. Add the user to this group. 
5. Once done wait for some time for the AD changes to be replicated.
6. Restart the Domain Controller Agent service.

Additional Information

Installing the domain controller agent to identify users in incidents

Attachments