Free Demo Contact Us Support Center Blo

PRODUCTS SOLUTION SUPPORT & SERVICES PARTNERS RESOURCES

Support Center > Search Results > SecureKnowledge Details

Search Support Center

Using Identity Awareness AD Query without Active Directory Administrator privileges on Technical Level

Windows Server 2008 and higher

Rate This Email Prin

Solution ID sk93938
Technical Level
Product Identity Awareness
Version R75, R76, R77, R77.10, R77.20, R77.30, R80.10, R80.20, R80.30, R80.40, R81
OS SecurePlatform 2.6, Gaia, IPSO 6.2
Platform / Model All
Date Created 01-Aug-2013

Solution
The main reason for creating this article was to simplify the procedure for using Identity Awareness AD Query without Active Directory Administrator privileges.
Note: If there are domain controllers running on Windows Server 2003 in the domain, this article would not apply to those servers. You should follow sk43874 - Using Id
Awareness AD Query without Active Directory Administrator privileges on Windows Server 2003 and lower.
 
Table of Contents:
Background
Introduction
Procedure
Notes
Related solutions
 

Background
The AD Query (previously called Identity Logging) is designed to work when provided an Active Directory domain administrator user. This is, by far, the easiest way to se
since the members of the Administrators group are allowed to remotely connect to the computer (by default). On the other hand, it can also use a Non-Admin user, giv
specific permissions.
 

Introduction
AD Query uses Windows Management Instrumentation (WMI) to query Active Directory Domain Controllers for the Security Event logs. To handle the remote calls to th
Domain Controllers, AD Query uses Distributed COM (DCOM) technology. In order to connect to a remote computer using WMI, WMI permissions should be granted, an
DCOM settings and WMI namespace security settings should enable the connection. After a user/group can connect to the Domain Controller using WMI, it should hav
permissions to read the Security Event logs.
There are four main stages:
Creating a user/group and granting it DCOM permissions.
Giving the user/group WMI permissions.
Adding read permissions to the Security Event logs.
Configuring the user/group to be used for AD Query in the SmartDashboard.
 

Procedure

1. Create a user with Distributed COM and Event reading permissions

A. Create a domain user (or use an existing one). It is possible to create a security group, add this user to the group and apply the procedure, described in th
article, on the group.
B. Add this user/group to the built-in domain groups: Distributed COM Users, Event Log Readers, and Server Operators.
C. Make sure that DCOM remote launch activation permissions and remote access permissions are granted for the Distributed COM Users group (as describ
Securing a Remote WMI Connection):
 Make sure the user is a member of the following groups:
Distributed COM Users
Domain Users
Event Log Readers
Server Operators

2. Grant the user WMI permissions

Note: This step should be performed on each Domain Controller.

A. Run Windows Management Instrumentation (WMI) console:

Go to Start menu - click on Run... - type wmimgmt.msc - click on OK/press Enter.

B. Right-click on WMI Control - click on Properties.

C. Go to the Security tab - expand Root.

D. Select CIMV2 - click on Security button.

 E. Add the domain user that you have created to work with AD Query.

Grant him the Remote Enable permission.

F. Click on Advanced button.
G. Make sure that the permissions for the domain user apply to This namespace and subnamespaces.

H. Click on OK and close the dialogs.

3. Restart WMI service

 Note: This step should be performed on each Domain Controller.
A. Run the Windows Services Manager:
Go to Start menu - click on Run... - type services.msc - click on OK/press Enter.
B. Locate the Windows Management Instrumentation service and restart (right-click on the service - click on Restart).

4. Configure the user to be used for AD Query in the SmartDashboard

A. Create an AD user with Distributed COM and Event reading permissions.

B. Install policy to apply the change.
 

Notes
If you need the selected user to be able to reset password, then apply this to the Windows Server for that user:

Delegate 1 Task - Reset user passwords and force password change at next logon

KB296999 - Minimum permissions are needed for a delegated administrator to force password change at next logon procedure
In some setups, the procedure above may not work due to the installed software that impacts the user permissions (e.g., due to ThinPrint Diagnostic Utility insta
by VMware Tools). In such case, follow this procedure:

A. Open the privileged Windows Command Prompt (As Administrator).

B. Check whether ThinPrint Diagnostic appears in the list of event publishers using the Windows Events Command Line Utility:
wevtutil el | findstr /I /C:"ThinPrint Diagnostic"
C. If "ThinPrint Diagnostic" indeed appears on the list of event publishers, then follow these steps:
a. Download this AD Query Permissions script
b. Unpack the ZIP archive to extract the PowerShell script file - adq_permissions.ps1
c. Put the adq_permissions.ps1 in the root of disk C:\ on the Domain Controller machine

d. Open the privileged Windows Command Prompt (As Administrator)

e. Run the PowerShell script:

powershell C:\adq_permissions.ps1 /U=username /C > C:\wevtutil_commands.txt

Notes:
The PowerShell script will print (without changing) the commands to allow read permissions for all Event Log folders.
The /C switch prints the commands without executing them in a way that is ready for copy-and-paste to the Command Prompt.

That way it is possible to verify the commands and then apply them manually.
To install PowerShell on Windows Server 2003, download and install the KB968930 - Windows Management Framework Core package (Wind
PowerShell 2.0 and WinRM 2.0) (pre-requisites are KB914961 - Windows Server 2003 Service Pack 2, and .NET Framework, at least .NET 2.0
Service Pack 1).

f. In the output file C:\wevtutil_commands.txt, find the line for "ThinPrint Diagnostics" (output will be unique in each environment).
Example of such line:

wevtutil sl "ThinPrint Diagnostics" /ca:O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)

(A;;0xf0007;;;BA)(A;;0x2;;;SO)(A;;0x2;;;IU)(A;;0x2;;;SU)(A;;0x2;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x1;
1-5-21-2191134797-4201291384-1465959234-1108)
g. Copy the entire command "wevtutil sl ..." for "ThinPrint Diagnostics" from the C:\wevtutil_commands.txt file, paste it in the Windows Command Pro
and press Enter.
Important Note: The should not be any prompt/output.
h. On the Identity Awareness Gateway, re-initiate the credentials for the user:
[Expert@HostName:0]# adlog a control reconf
 

Related solutions
sk60301 - Identity Awareness AD Query
sk100406 - How to use test_ad_connectivity to troubleshoot AD Query connectivity
sk43874 - Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Server 2003 and lower
sk104900 - Configuring ADQuery with a non administrator user without membership in "Server Operators" group

Give us Feedback Please rate this document [1=Worst,5=Best]

Enter your comment here

Comment 

SECURE YOUR EVERYTHING ™ Follow Us    

©1994-2021 Check Point Software Technologies Ltd. All rights reserved.
Copyright | Privacy Policy