Non-Admin Domain Controller Account

InsightIDR requires log data from both LDAP and the Active Directory Security Logs to properly attribute all of your organization’s events to the users involved and to add context to analytics. The easiest way to acquire these logs is to use a Domain Admin account to query the Domain Controllers.

InsightIDR leverages Windows Management Instrumentation (WMI) to query the Active Directory Domain Controllers for the Security Event logs with an Admin account. It also leverages Distributed Component Object Model (DCOM) technology to handle the remote calls to the Domain Controllers.

However, some restrictions in your environment may require that you query the Domain Controllers using a non-admin account.

Rapid7 Does Not Support This Method

Rapid7 recognizes that customers may wish to create a service account with limited permissions for use with InsightIDR. While these instructions explain how to implement this service account, be aware that this configuration is not supported by Rapid7.

Read more about Domain Account alternatives here.

To grant a non-admin user the ability to connect to Domain Controllers and utilize remote read, launch, and access permissions:

You can also add additional domain controllers.

Grant DCOM Permissions

To grant DCOM permissions, you must complete several steps to connect the Domain Controllers and query the AD security logs with the appropriate permissions:

Add a Domain User to Specific Groups

This non-admin user must be included in specific Windows groups in order to act as a non-admin service account for Rapid7 in place of a domain admin.

To add the standard domain user to these groups:

  1. Create a standard domain user following the directions here: https://support.microsoft.com/en-us/help/13951/windows-create-user-account
  1. After you create the user, add the user to the following built-in groups:
    • Distributed COM Users
    • Event Log Readers
    • Server Operators groups

Grant Remote Launch and Activation Permissions

Now, you must give the user proper remote launch permissions.

To grant remote launch permissions:

  1. From your Windows start menu, click Start > Run to launch the command terminal and enter the following command: DCOMCNFG.
  2. Click the OK button. The “Component Services” window appears.
  3. Expand the Component Services > Computers path, and right-click My Computer > Properties.
  4. In the "My Computer Properties" window, click the COM Security tab.
  5. Under "Launch and Activation Permissions," click the Edit Limits button.
  1. In the "Launch Permission" box, make sure your name or group appears in the list. If it does not appear in the list:
    • Click the Add button.
    • In the "Select Users, Computers, or Groups" box, add your name and group in the "Enter the object names to select” box.
    • Click the OK button.
  2. In the "Allow" column under “Permissions for User," check the Remote Launch and Remote Activation boxes to enable these permissions.
  3. Click the OK button to grant remote launch and activation permissions to the user.

The user now has remote launch and activation permissions.

Grant Remote Access Permissions

Now the user account needs remote access permissions in order to act as a service account. To grant remote access permissions:

  1. Return to the “My Computer > Properties” window from the “Component Services” window you accessed in earlier steps.
  2. In the "My Computer Properties" dialog box, click the COM Security tab.
  3. Under "Access Permissions," click the Edit Limits button.
  4. In the "Launch Permission" box, make sure your name or group appears in the list. If it does not appear in the list:
    • Click the Add button.
    • In the "Select Users, Computers, or Groups" box, add your name and group in the "Enter the object names to select” box.
    • Click the OK button
  5. In the "Allow" column under “Permissions for User,” check the Remote Access box and click the OK button.

The user now has remote access permissions.

Grant WMI permissions

Now that the domain user has the permissions, you must give the user account permissions to work with Active Directory Query in the Windows Management Instrumentation (WMI) console.

To give permissions to work with AD Query to the user:

  1. From your Windows start menu, click Start > Run to launch the command terminal and enter the following command: wmimgmt.msc. The “Computer Management” window appears.
  2. Right-click the WMI Control option and select the **Properties option from the dropdown.
  3. In the “WMI Control Properties” window, select the Security tab, and then expand the Root tree.
  4. Select the CIMV2 option and then click the Security button.
  5. Add the domain user that you've created to work with AD Query.
  1. Check off the Enable Account and Remote Enable permissions for the user account.
  2. Click the Advanced button. Select the domain user and make sure that “Apply to” is set to “this namespace and subnamespaces.”
  3. Select the OK button to save changes.
  1. To restart the WMI service, click Start from your Windows menu and search for “Services.”
  2. Locate and right-click the "Windows Management Instrumentation" service.
  3. Select the Restart option.

The non-admin domain user now has DC admin permissions.

Add Additional Domain Controllers

If you are adding additional Domain Controllers for AD Security Logs, you must enable WMI Permission on each target system. To do so, repeat the steps to Grant DCOM Permissions,Grant WMI Permissions, and then restart the WMI service.