RSA Admin

Agentless Windows without Doman Admin Account

Discussion created by RSA Admin Employee on Sep 5, 2010
Latest reply on Jun 13, 2012 by RSA Admin

Follow these instructions for configuring a non-domain administrator account using GPO to collect WIndows Event Logs agentlessly:

1)      Create a Windows account in the domain where envision is needing to read event logs for.  This account will be referred to as “service account” in future steps.

2)      Make the service account a member of the Domain Users group (done by default when an account is created).

3)      Create one or more security groups (Active Directory groups) that will be used to delegate event log access.  These groups need to be created in the same domain as the service account.

4)      Make the service account a member of the newly created group(s)

5)      Grant the group(s) create above Read Only access to the appropriate event logs on all servers.  At Devon we chose to do the following to accomplish this:

a.       Create a Group Policy Object (GPO) in Active Directory that contains event log delegation settings.  We followed directions in the Microsoft article listed below to modify the settings of the GPO.  The specific sections of this article we used are “Use Group Policy to Set Your Application and System Log Security for a Domain, Site, or Organizational Unit in Active Directory” and “Use Group Policy to Set Your Application and System Log Security”.  GPO settings article: http://support.microsoft.com/kb/323076.  We also used the following article to generate the appropriate SDDL format for the GPO settings.  http://msdn2.microsoft.com/en-us/library/aa379570.aspx.  Notice that this format ONLY accepts the SID of a security principal. 

b.      Apply this GPO to the appropriate OU’s in Active Directory.  We applied the GPO to the root level server OU’s so all Windows servers in the selected domain receive the settings.

c.       Refresh GPO on all servers (happens every 90 minutes automatically by default).

d.      Test accessing event logs with the service account.  Because the service account is a member of the newly created Active Directory group and the group has been delegated read access to event logs the account was able to successfully read the logs.


6)      Make configuration changes in envision to have the application use the newly created service account credentials to connect to servers in the specified domain.
 

These steps must be executed for each domain that requires envision to have server event log access.

Just as a note….  The service account was NOT given any of the following access rights to servers:

  • Local administrative access
  • Domain Admin access
  • Remote registry access

Outcomes