cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Active Directory Monitoring Credentials

A question to those using the AD templates in SAM...

I am trying to set up SAM to monitor my 2008 ADDCs.  What rights are needed on the DCs to utilize these templates?  The template doc says to give Administrator rights, but I do not want to do this on my DCs.  Has anyone else implemented without giving full administrative access?

All input is appreciated.

Thanks!

Labels (1)
8 Replies

Please mark this issue as ANSWERED!!! AS I USED THE INFORMATION ABOVE TO MAKE IT WORK.  SO TO EVERYONE THAT CONTRIBUTED ABOVE - A BIG THANK YOU!!!

After taking the info above, I created a doc to help instruct a user a little easier... the last NOTE: "Not all services are accessible by authenticated users through remote connections" should be taken into account.

Active Directory Account:

Membership:

     Domain users

     Distributed COM Users

     Performance Monitor Users

Client Settings (Server)

     Add the domain account created above to:

     Distributed COM Users

     Performance Monitor Users

     Users

On the Server, run MMC - add Snap-in - right click on WMI Contorl (Local) and select Properties

     Go to the security tab and add the domain account that you created:

pastedImage_0.png

Give it Enable Account, and Remote Enable.

On the Server - Start the DCOM configuration console and grant the following permissions: at a command prompt type: dcomcnfg.exe

pastedImage_1.png

You will Edit Limits for both Access Permissions and Launch and Activate Permissions:pastedImage_2.png

pastedImage_3.png

Still on the Server, you must allow that domain account that you created to access the Win32_Service object remotely, you must grant additional permissions to the authenticated user:

Launch a command prompt:

pastedImage_4.png

Here is the information and "text" behind the move above - copy and past from the text below:

To allow the user created in step 1 (e.g., SAMuser) to access the Win32_Service object remotely, you must grant additional permissions to the authenticated user:

  1. In a command window, type: Sc sdshow scmanager.
    The output should look like this:
    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
  2. Change the first section from (A;;CC;;;AU) to (A;;CCLCRPRC;;;AU). This change adds the following permissions to the authenticated user:
    • LC = ADS_RIGHT_ACTRL_DS_LIST
    • RP = ADS_RIGHT_DS_READ_PROP
    • RC = READ_CONTROL
  3. Set the security permission:     - copy and past the below .....!!!!!
    Sc sdset scmanager D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

LAST STEP - RESTART - OR START - REMOTE REGISTRY Service (services on the server)

If you have multiple domains, you will need to create a domain account for each domain.

Now the NOTE:.....!!!!

NOTE:

  1. 1. Not all services are accessible by authenticated users through remote connection. The last step to enable non-administrator user to be able monitor them is to adapt the non-admin user's security permissions on the remote machine. To do so:
    1. a.       Log on to the remote machine.
    2. b.       In a command window, type:
      Sc sdshow <servicename/>
      The output should look like this:
      D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    3. c. To have more control over, this copy this string into  a text editor such as Notepad.
    4. d.       In the command window, type:
      whoami /USER /FO LIST
      User information is returned, including the user name and SID.
    5. e. In the text editor, use this SID to construct a new permission section (where x = the SID):
      (A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)
    6. f. Add it to the service permission string you copied earlier into 😧 section:
      D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  2. 2. Enter the following into the command window:
    Sc sdset  <servicename> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    Note: The proper syntax is “sc sdset <service> <security>” and you should run this command for each service that is not affected by the previous steps.
0 Kudos

One more note to my notes above!!!

on each server, I had to add them as local administrators of the server

on domain controllers (you can't add local admins)  - do the following:

Open a command promt using the "Run as administrator" function and then run the following command.

net localgroup Administrators /add {domain}\{user}

OH MAN - when I ran the command on the domain controller, it did add my new monitoring account, but removed it shortly thereafter....
I will post what works on the domain controllers, when it actually works right and makes it beyond the second polling!  I do apologize for the bad post!!  Keep tuned for the actual fix for domain controllers.

I have successfully "changed" 15 servers from running with my domain admin account to the new Orion account, and all is working just great.  The Orion account only has DCOM and Performance monitoring user.    I have manipulated application monitors as well without issue.

My only thorn at this time ... domain controllers... I WILL fix this as well, and I WILL post the fix.   (ALL the DC's are 2012 R2) 

0 Kudos

THANK YOU!

0 Kudos
Level 9

1) The account needs to be a member of the domain group "Performance Monitor Users" and "Distributed COM Users"

2) Make sure your Solarwinds box is allowed by the Windows Firewall for WMI

3) SAM needs to be configured for WMI querying of the box.

If your still having problems check the logs under "C:\ProgramData\SolarWinds\Logs\APM", it should give you some clue there. If not try manually adding the AD monitors to the DC's in SAM and it will allow you to "test" the configuration...for us, the template was failing because we are using a 3rd party DNS solution and hence don't have the DNS Server role installed on the DC's causing the template to fail.

Product Manager
Product Manager

An account with adequate permissions is all that's required. Unfortunately, due to security restrictions imposed by Microsoft the only account with adequate permissions to query WMI remotely is the local or domain Administrator. You can however grant these specific privileges to a least privilege account by following the steps outlined in the following KB article.

SolarWinds Knowledge Base :: How to create a non-administrator user for APM polling.

0 Kudos

Is the step 13 of that procedure is really necessary? To my understanding, adding the user (service account) to Performance Monitor Users and Distributed COM Users groups is already giving the needed rights...


If it's working for you then great. I will state that actual mileage may vary. These are standard permissions required by essentially any other product that behaves similarly to SAM. Below is an example for IBM's Tivoli which states the very same requirements.

Similarly, these are the same permissions outlined by the ServerFault community.

0 Kudos