Active Directory Auditing
To collect data from Active Directory, you need an account with specific permissions. The following options are available:
Use Domain Admin Account
You can use an account from the Domain Admins group. This account inherently has all necessary permissions for data collection.
Use Non-Domain Admin Account
If using a Non-Domain Admin account, set up the account with specific permissions depending on the following aspects:
| In the target domain | Account Permission Required |
| Do you plan to use Network Traffic Compression for data processing? | If YES, account must belong to Domain Admin group. If NO, add an account to 'Manage auditing and security log' policy. See Configure the Manage Auditing and Security Log Policy for more information. |
| Do you plan to use AD Deleted Objects container for data processing? | If YES, account requires Read permission on the read container. See Granting Permissions for 'Deleted Objects' Container topic for more information. |
| Is auto-backup enabled for the domain controller event logs? | If YES, account needs the following:
|
| Is there an on-premises Exchange server in your Active Directory domain? | If YES, account needs the following:
|
Use GMSA
You can use group Managed Service Accounts (gMSA) as data collecting accounts. It should also meet the same requirements.
If you are using gMSA for data collection, consider that AAL event data collection from your on-premise Exchange server will not be possible. Thus, changes made to your Active Directory domain via that Exchange server will be reported with domain\Exchange_server_name$ instead of the initiator (user) name in the "Who" field of reports, search results and activity summaries.
For more information on gMSA, refer to Using Group Managed Service Account (gMSA) and to Microsoft documentation.