Summarywhat are the minimum privileges needed for AD agent
Overview- The Exinda Active Directory Connector requires .NET Framework 4.0.
- Logon Auditing must be enabled on the Active Directory server to install the Exinda Active Directory Connector.
- The WMI service must be started on the Active Directory server and on the server where the Exinda Active Directory Connector is installed
- The agent when installed on a DC will need access to Windows Logon Auditing - Event Viewer-->Windows Logs-->Security-->Filter Event ID 4624 (4624 is a successful logon; note that 4626 is a failed logon attempt)
... Default account used under services -- Exinda AD service properties is the Local System account
The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects.
The LocalSystem account has the following privileges:
- Ensure port 8015 is open on any firewall between the devices
- Account needed when setting AD connector would be an administrator account that can access the Windows Logon Auditing events. Recommended is a Domain Admin account
Note: As per Microsoft requirements, you need admin rights to read the event log.