Active Directory Health & Security Status Required Permissions

In order for the InfraSOS Agent service to correctly report on the health and security status of your Active Directory, it should be run as a special user (service account) (by default, the system runs the InfraSOS Agent service under the “Local system account”, which lacks permissions necessary for the InfraSOS Agent). In this documentation, we provide step-by-step instructions on how to configure the special user account.

Enable PS Remoting on DCs

Our agent server uses LDAP and PowerShell to report against your Active Directory. PowerShell Remoting must be enabled on all DCs in your domain. You can enable it by executing the following command in PowerShell on each domain controller:

Enable-PSRemoting -Force

DC Firewall Ports

Confirm on your domain controllers, you have the following ports allowed to communicate from the agent server:

Windows Remote Management (HTTP-In) (Inbound) - Allow Connection
Windows Management Instrumentation (DCOM-In) - Allow Connection
Windows Management Instrumentation (WMI-In) - Allow Connection
Windows Management Instrumentation (ASync-In) - Allow Connection

Create an Active Directory user (Service Account)

We recommend creating a separate Active Directory user for running the InfraSOS Agent service. The following guide explains how to:

Open your “Active Directory Users & Computers“;
Choose the location (OU) where you want to create a new user and click New ⇒ User
In the modal window for creating a user:
1. “Full name”: InfraSOS User
2. “User SamAccountName logon”: InfraSOSUser
3. “Password” – for this field, use a string password. When we delegate the user to run the InfraSOS Agent service, the password is needed.
4. “Password options” section:
  1. Use “Other password options”
  2. Set the flag for “Password Never Expired” (it’s not required, but this user will be used only for service running, that’s why be ready to update login info for the service without this flag)
  3. Set the flag for “User cannot change password” (it’s not required)
Click OK to save the new InfraSOS User.

Granting Permissions to newly created InfraSOS AD Service Account.

In order for your InfraSOS service account to read your domain, you will need to assign permissions to your account. There are 2 ways to achieve this with the following 2 options:

Using “Option 1” is much easier to configure, but it can be rejected by your company’s security policy.
Using “Option 2” Requires a few steps to configure, but this method may be more in line with your company's security policy

Option 1: Grant the user “Domain Admins”

1.1 Add the user to the “Domain Admins” group

In your “Active Directory Users & Computers”, find and open the InfraSOSUser user which was created in the “Create a user” step
In the section “Member of”, click on the Add…
In the modal window:
1. In the “Enter the object names to select (examples)” field, set the Domain Admins
2. Click Check Names
3. If the user was found, click OK
Click OK for the user editing window

1.2 Run the InfraSOS agent service as:

On the server where the InfraSOS agent is installed, Open the Services (services.msc).
In the list of services, find the service named InfraSOS Agent.
Right-click on the service ⇒ Properties ⇒ Log On.
Change the switcher to This account.
Click on the Browse… .
In the modal window:
1. In the “Enter the object names to select (examples)” set the InfraSOSUser user
2. Click Check Names
3. Click OK.
Enter the Password and Confirm password (use credentials from the selected user).
Click OK
Note: You should see the message “The account <your domain>\InfraSOSUser has been granted the Log On As a Service rights”
Restart the InfraSOS Agent service for the changes to be applied

That’s all you need to do in order for the InfraSOS agent to have permission to read your AD using option 1 above. You can now reload the InfraSOS portal to check if the Active Directory Health & Security Dashboard loads.

Option 2: Grant the user the minimal required privileges

2.1 Assign user permission to read AD (using delegation of rights):

Open the “Active Directory Users and Computers”
Set Advanced Features:
1. At the top of the window, click View
2. Check if the flag is available for the Advanced Features
Right-click on <your domain name>
Click Delegate Control…
In the window:
1. Click Next ⇒ Add
2. In the window:
  1. In the Enter the object names to select (examples) field, set the InfraSOSUser which you created before
  2. Click Check Names
  3. If the user was found, click OK
3. Click Next
4. In the Delegate, the following common task:
  1. Check the box for Read all user information.
  2. Check the box for Generate Resultant Set of Policy (Logging)
5. Next ⇒ Finish

2.2 Add the user to the required groups

Find the InfraSOSUser and open Properties for this user
Select the 'Member of' option from the navigation panel on the far left.
Click the Add…
In the window:
1. In the “Enter the object names to select (examples)” field, copy and set the text “Remote Desktop Users; Remote Management Users; Server Operators; Performance Log Users”
2. Click Check Names
3. If the group was found, click OK
Click OK
Close the “Active Directory Users & Computers”

2.3 Set Local Security Policy on Agent Server.

Open the “Local Security Policy” application on agent server.
Choose the option Local Policies on the navigation panel on the left.
Choose the option User Rights Assignment on the navigation panel on the left in the opened folder.
In the window, double click policy – Log on as a service
Click Add User or Group
In the window:
1. In the “Enter the object names to select (examples)” field, set the InfraSOSUser
2. Click Check Names
3. If the user was found, click OK
Now open and execute in PowerShell or CMD as administrator, the following command to force this to update locally on your agent server: command “gpupdate /force”.

gpupdate /force

2.3 Rights for WMI Namespace on Domain Controllers

This step gives the service account read access using the WMI namespaces. On each domain controller perform the following:

Configure WMI Namespace Rights
- Run wmimgmt.msc.
- Right-click WMI Control, select Properties.
- On the Security tab, select Root and click Security.
- Click Advanced
- Click Add
- Click Select a principal
- Enter InfraSOSUser account
- Allow Execute Methods, Enable Account, Remote Enable, and Read Security permissions for InfraSOSUser.
- Under Applies To, select This namespace and all subnamespaces.
- Click Ok on the remaining Windows.

2.4 Give access to the InfraSOS Agent folder

Find the location of the InfraSOS FZCO folder (usually it’s on C:\Program Files)
Right-click on the folder InfraSOS FZCO ⇒ Properties ⇒ Security
For the “Group or user names” click on Edit… ⇒ Add…
In the window:
1. In the “Enter the object names to select (examples)” field, set the InfraSOSUser
2. Click Check Names
3. If the user was found, click OK
Select the InfraSOSUser in the list
Below for “Permissions for InfraSOSUser” allow the Write permission
Click OK

2.5 Run the service as

Open the Services (services.msc).
In the list of services, find the service named InfraSOS Agent.
Right-click on the service ⇒ Properties ⇒ Log On.
Change the switcher to This account.
Click on Browse… .
In the modal window:
1. In the “Enter the object names to select (examples)” set the InfraSOSUser user
2. Click Check Names
3. Click OK.
Enter the Password and Confirm password (use credentials from the selected user).
Click OK
Note: You should see the message “The account <your domain>\InfraSOSUser has been granted the Log On As a Service rights”
Restart the InfraSOS Agent service for the changes to be applied
Now restart the InfraSOS Agent server just to make sure all new permissions are applied.