Environment
NetIQ Group Policy Guardian 2.0
NetIQ Group Policy Guardian 2.0 SP1
Resolution
What are the permissions requirements of the service account used by GPG?
fact
NetIQ Group Policy Guardian 1.6
fact
NetIQ Group Policy Guardian 2.0
fact
NetIQ Group Policy Guardian 2.0 SP1
fix
Domain Account Requirements for a Trial Installation
GPG requires one domain account for reporting and for the service account under which GPG runs. In addition, the user account used to install GPG must have SA privileges in Microsoft SQL Server.
Trial User Account
The service account runs the GPG Server and Collector services. This account requires local administrator privileges to access the local Windows event logs. In addition, the GPG Collector must access remote Security Logs on the domain controllers, and the GPG Server must query Active Directory for current GPO information, so the service account must have read privileges on Active Directory. Finally, the service account will be granted access to the GPG Database since the GPG Server must read and write database information. Add the service account to the Administrators and Domain Administrators security groups to get the appropriate privileges for this account. The Local System account cannot be used as the GPG service account. Microsoft IIS will also be configured during installation to run GPG Reporting under this account.
Requirements:
- Domain account
- Local administrator privileges on the GPG computer
- Domain administrator privileges
Database SA Privileges
Installation of various components requires granting of privileges for the GPG Database.
Requirements:
- Installation user must have SA privileges in the GPG Database
Domain Account Requirements for a Production Installation
GPG requires one domain account for reporting and for the service account under which the GPG Server and Collectors run. In addition, the user account used to install GPG must have SA privileges in Microsoft SQL Server and have trusted access to the Microsoft SQL Server domain to complete the installation.
Warning: Although the same account can be used for reporting as well as for the service account, it is not recommended for production environments. Using the same account makes auditing more difficult and violates the security principle of least privilege. Reporting does not need to run under the various administrator privileges required by the service account.
Service Account
The service account runs the GPG Server and Collector services. This account requires local administrator privileges to access the local Windows event logs. In addition, the GPG Collector must access remote Security Logs on the domain controllers, and the GPG Server must query Active Directory for current GPO information, so the service account must have read privileges on Active Directory and on the SYSVOL share of the remote domain controllers. Finally, the service account will be granted access to the GPG Database since the GPG Server must read and write database information. You can add the Log on as a service privilege to the local policy for the computer using a group policy to avoid overriding other local policy settings. Add the service account to the Administrators and Domain Administrators security groups to get the appropriate privileges for this account. The Local System account cannot be used as the GPG service account.
Requirements:
- Domain account
- Log on as a service privilege
- Local administrator privileges on GPG Server and Collector computers
- Domain administrator privileges
Database SA Privileges
Installation of various components requires granting of privileges for the GPG Database.
Requirements:
- Installation user must have SA privileges in the GPG Database
Reporting Account
During installation, you specify the reporting account under which Microsoft IIS will run .
GPG Reporting. This account will also be granted access to the GPG Database in Microsoft SQL Server, since reports must access the database.
Requirements:
- Domain account