Professional Documents
Culture Documents
Using Identity Awareness AD Query Without Active Directory Administrator Privileges On Windows Server 2008 and Higher
Using Identity Awareness AD Query Without Active Directory Administrator Privileges On Windows Server 2008 and Higher
Using Identity Awareness AD Query Without Active Directory Administrator Privileges On Windows Server 2008 and Higher
Using Identity Awareness AD Query without Active Directory Administrator privileges on Technical Level
Solution ID sk93938
Technical Level
Product Identity Awareness
Version R75, R76, R77, R77.10, R77.20, R77.30, R80.10, R80.20, R80.30, R80.40, R81
OS SecurePlatform 2.6, Gaia, IPSO 6.2
Platform / Model All
Date Created 01-Aug-2013
Solution
The main reason for creating this article was to simplify the procedure for using Identity Awareness AD Query without Active Directory Administrator privileges.
Note: If there are domain controllers running on Windows Server 2003 in the domain, this article would not apply to those servers. You should follow sk43874 - Using Id
Awareness AD Query without Active Directory Administrator privileges on Windows Server 2003 and lower.
Table of Contents:
Background
Introduction
Procedure
Notes
Related solutions
Background
The AD Query (previously called Identity Logging) is designed to work when provided an Active Directory domain administrator user. This is, by far, the easiest way to se
since the members of the Administrators group are allowed to remotely connect to the computer (by default). On the other hand, it can also use a Non-Admin user, giv
specific permissions.
Introduction
AD Query uses Windows Management Instrumentation (WMI) to query Active Directory Domain Controllers for the Security Event logs. To handle the remote calls to th
Domain Controllers, AD Query uses Distributed COM (DCOM) technology. In order to connect to a remote computer using WMI, WMI permissions should be granted, an
DCOM settings and WMI namespace security settings should enable the connection. After a user/group can connect to the Domain Controller using WMI, it should hav
permissions to read the Security Event logs.
There are four main stages:
Creating a user/group and granting it DCOM permissions.
Giving the user/group WMI permissions.
Adding read permissions to the Security Event logs.
Configuring the user/group to be used for AD Query in the SmartDashboard.
Procedure
A. Create a domain user (or use an existing one). It is possible to create a security group, add this user to the group and apply the procedure, described in th
article, on the group.
B. Add this user/group to the built-in domain groups: Distributed COM Users, Event Log Readers, and Server Operators.
C. Make sure that DCOM remote launch activation permissions and remote access permissions are granted for the Distributed COM Users group (as describ
Securing a Remote WMI Connection):
Make sure the user is a member of the following groups:
Distributed COM Users
Domain Users
Event Log Readers
Server Operators
F. Click on Advanced button.
G. Make sure that the permissions for the domain user apply to This namespace and subnamespaces.
Notes
If you need the selected user to be able to reset password, then apply this to the Windows Server for that user:
Delegate 1 Task - Reset user passwords and force password change at next logon
KB296999 - Minimum permissions are needed for a delegated administrator to force password change at next logon procedure
In some setups, the procedure above may not work due to the installed software that impacts the user permissions (e.g., due to ThinPrint Diagnostic Utility insta
by VMware Tools). In such case, follow this procedure:
That way it is possible to verify the commands and then apply them manually.
To install PowerShell on Windows Server 2003, download and install the KB968930 - Windows Management Framework Core package (Wind
PowerShell 2.0 and WinRM 2.0) (pre-requisites are KB914961 - Windows Server 2003 Service Pack 2, and .NET Framework, at least .NET 2.0
Service Pack 1).
f. In the output file C:\wevtutil_commands.txt, find the line for "ThinPrint Diagnostics" (output will be unique in each environment).
Example of such line:
Related solutions
sk60301 - Identity Awareness AD Query
sk100406 - How to use test_ad_connectivity to troubleshoot AD Query connectivity
sk43874 - Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Server 2003 and lower
sk104900 - Configuring ADQuery with a non administrator user without membership in "Server Operators" group