Active Directory Least Privileges
The purpose of this document is to detail the minimum rights and privileges required for configuring the specific components for Auditing and the steps that are required to complete the configuration for a successful setup.
Minimum Rights Required
A Domain User Account.
This account should be a member of the “Event Log Readers” group inside AD.
This account should be a member of the local “Administrators” Group.
Setting up the Account Privileges can be done in 2 ways:
User creation
Within the Active Directory Users and Computers, generate new user account in the Users folder located inside the domain selected. e.g ad.mycybercns.com.
Fill in all the required fields, including First Name, Last Name, and User Logon Name, then proceed by clicking Next.
Set your password, confirm it by re-entering, and then proceed by clicking Next. Select in the required settings to set password for the user, eg. User must change password at next logon
Upon clicking the Finish button, a new user will be created, as demonstrated in the image below.
To edit the properties of the newly created user, right-click on the created user's profile and select Properties as shown below. This could be used to add user to be a member of different groups.
To add the created user to a new group, click on the Add button within the Member Of section.
To make this user a part of Event log readers gr oup, please choose the Event Log Readers group from the list to read the generated event logs, and then click OK.
The Event Log Readers group will be added to the Member Of section along with domain user for the created user as illustrated below.
Manual Method
The created user is to be added to multiple systems on the network so Probe Agent will use these credentials to login to remote systems and scan them successfully. Below is to be run on all the systems which are to be scanned using Probe Agent.
To enable remote admin share (admin$) access, you'll need to ensure that the user is a member of the local "Administrators" group. This group has the necessary privileges to access admin shares remotely.
On the target system, type MMC in the Run panel and click OK to add this user for local users and groups snap in.
Click on Add/Remove Snap-ins in File menu.
Select Local Users and Groups from the dropdown menu in the available snap-ins section and then Click OK.
Choose the computer for this snap-in management, and select Local computer or any other computer. You can only select one computer at a time.
Select local computer or another computer from the list and click OK.
Enter the name of the computer and click Finish.
Then it will prompt to the Groups page.
Select Administrators and please right-click on Administrators to select Properties.
Click on Add in General. Please enter the object name (email) that was used during the user's initial creation then click OK.
This will help set the created user as a local administrator on that system.
Automated Method
The created user to be a part of local administrator group of the systems. To run this using an automated method/powershell script use below powershell script.
Please change the domain name and user name shown as example as shown in the powershell script.
Once the User is created, the below script will help to create a User’s properties in all the targeted machines.
This completes the Active Directory Least Privileges document.