What are the permissions requirements of the service account used by GPG? (NETIQKB56058)

  • 7756058
  • 02-Feb-2007
  • 15-Mar-2013

Environment

NetIQ Group Policy Guardian 1.6
NetIQ Group Policy Guardian 2.0
NetIQ Group Policy Guardian 2.0 SP1

Resolution

goal
What are the permissions requirements of the service account used by GPG?

fact
NetIQ Group Policy Guardian 1.6

fact
NetIQ Group Policy Guardian 2.0

fact
NetIQ Group Policy Guardian 2.0 SP1

fix

Domain Account Requirements for a Trial Installation

GPG requires one domain account for reporting and for the service account under which GPG runs.  In addition, the user account used to install GPG must have SA privileges in Microsoft SQL Server.

Trial User Account

The service account runs the GPG Server and Collector services. This account requires local administrator privileges to access the local Windows event logs. In addition, the GPG Collector must access remote Security Logs on the domain controllers, and the GPG Server must query Active Directory for current GPO information, so the service account must have read privileges on Active Directory. Finally, the service account will be granted access to the GPG Database since the GPG Server must read and write database information. Add the service account to the Administrators and Domain Administrators security groups to get the appropriate privileges for this account. The Local System account cannot be used as the GPG service account. Microsoft IIS will also be configured during installation to run GPG Reporting under this account.

Requirements:

  • Domain account
  • Local administrator privileges on the GPG computer
  • Domain administrator privileges

Database SA Privileges

Installation of various components requires granting of privileges for the GPG Database.

Requirements:

  • Installation user must have SA privileges in the GPG Database

Domain Account Requirements for a Production Installation

GPG requires one domain account for reporting and for the service account under which the GPG Server and Collectors run.  In addition, the user account used to install GPG must have SA privileges in Microsoft SQL Server and have trusted access to the Microsoft SQL Server domain to complete the installation.

Warning:  Although the same account can be used for reporting as well as for the service account, it is not recommended for production environments. Using the same account makes auditing more difficult and violates the security principle of least privilege. Reporting does not need to run under the various administrator privileges required by the service account.

Service Account

The service account runs the GPG Server and Collector services. This account requires local administrator privileges to access the local Windows event logs. In addition, the GPG Collector must access remote Security Logs on the domain controllers, and the GPG Server must query Active Directory for current GPO information, so the service account must have read privileges on Active Directory and on the SYSVOL share of the remote domain controllers. Finally, the service account will be granted access to the GPG Database since the GPG Server must read and write database information. You can add the Log on as a service privilege to the local policy for the computer using a group policy to avoid overriding other local policy settings. Add the service account to the Administrators and Domain Administrators security groups to get the appropriate privileges for this account. The Local System account cannot be used as the GPG service account.

Requirements:

  • Domain account
  • Log on as a service privilege
  • Local administrator privileges on GPG Server and Collector computers
  • Domain administrator privileges

Database SA Privileges

Installation of various components requires granting of privileges for the GPG Database.

Requirements:

  • Installation user must have SA privileges in the GPG Database

Reporting Account

During installation, you specify the reporting account under which Microsoft IIS will run .
GPG Reporting. This account will also be granted access to the GPG Database in Microsoft SQL Server, since reports must access the database.

Requirements:

  • Domain account

 

Additional Information

Formerly known as NETIQKB56058

Feedback service temporarily unavailable. For content questions or problems, please contact Support.