Overview
This document details the minimum rights and privileges required for configuring the specific components for Auditing and the steps required to complete the configuration for a successful setup.
Minimum Rights Required
A Domain User Account.
This account should be a member of the “Event Log Readers” group inside AD.
This account should be a member of the local “Administrators” Group.
Setting up the Account Privileges
User Creation
Within the Active Directory Users and Computers, generate a new user account in the Users folder located inside the domain selected. e.g ad.mycybercns.com.
Please complete all the required fields, including First Name, Last Name, and User Logon Name, and then click Next.
Set your password, confirm it by re-entering, and then proceed by clicking Next. Select the required settings to set a password for the user, e.g. User must change the password at the next logon.
A new user will be created upon clicking the Finish button, as demonstrated in the image below.
To edit the properties of the newly created user, right-click on the created user's profile and select Properties, as shown below. This could be used to add users to be a member of different groups.
To add the created user to a new group, click on the Add button within the Member Of section.
To make this user a part of Event log readers gr oup, please choose the Event Log Readers group from the list to read the generated event logs, and then click OK.
The Event Log Readers group will be added to the Member Of section along with domain user for the created user as illustrated below.
Manual Method
On the target system, type MMC in the Run panel and click OK to add this user for local users and groups snap in.
Click on Add/Remove Snap-ins in File menu.
Select Local Users and Groups from the dropdown menu in the available snap-ins section and then Click OK.
Choose the computer for this snap-in management, and select Local computer or any other computer. You can only select one computer at a time.
Select local computer or another computer from the list and click OK.
Enter the name of the computer and click Finish.
Then it will prompt to the Groups page.
Select Administrators and please right-click on Administrators to select Properties.
Click on Add in General. Please enter the object name (email) that was used during the user's initial creation then click OK.
This will help set the created user as a local administrator on that system.
Automated Method
Once the User is created, the below script will help create the User’s properties on all the targeted machines.
This completes the Active Directory Least Privileges document.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article