The main reason for creating this article was to simplify the procedure for using Identity Awareness AD Query without Active Directory Administrator privileges.

Note: If there are domain controllers running on Windows Server 2003 in the domain, this article would not apply to those servers. Follow sk43874 - Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Server 2003 and lower.

 

Background

The AD Query (previously called Identity Logging) is designed to work when provided an Active Directory domain administrator user. This is, by far, the easiest way to set it up since the members of the Administrators group are allowed to remotely connect to the computer (by default). On the other hand, it can also use a Non-Admin user, given specific permissions.

 

Introduction

AD Query uses Windows Management Instrumentation (WMI) to query Active Directory Domain Controllers for the Security Event logs. To handle the remote calls to the Domain Controllers, AD Query uses Distributed COM (DCOM) technology. In order to connect to a remote computer using WMI, WMI permissions should be granted, and DCOM settings and WMI namespace security settings should enable the connection. After a user/group can connect to the Domain Controller using WMI, it should have the permissions to read the Security Event logs.

There are four main stages:

1. Creating a user/group and granting it DCOM permissions.
2. Giving the user/group WMI permissions.
3. Adding read permissions to the Security Event logs.
4. Configuring the user/group to be used for AD Query in SmartConsole (R80 and higher) / SmartDashboard (R77.30 and lower).

 

Procedure

1. Create a user with Distributed COM and Event reading permissions

   1. Create a domain user (or use an existing one). It is possible to create a security group, add this user to the group and apply the procedure, described in this article, on the group.

   2. Add this user/group to the built-in domain groups: Distributed COM Users, Event Log Readers, and Server Operators.

   3. Make sure that DCOM remote launch activation permissions and remote access permissions are granted for the Distributed COM Users group (as described in Securing a Remote WMI Connection):

      

   Make sure the user is a member of the following groups:

   • Distributed COM Users
   • Domain Users
   • Event Log Readers
   • Server Operators

2. Grant the user WMI permissions

   Note: This step should be performed on each Domain Controller.

   1. Run Windows Management Instrumentation (WMI) console:

      Go to Start menu - click on Run... - type wmimgmt.msc - click on OK/press Enter.

   2. Right-click on WMI Control - click on Properties.

      

   3. Go to the Security tab - expand Root.

   4. Select CIMV2 - click on Security button.

      

   5. Add the domain user that you have created to work with AD Query.
      Grant him the Remote Enable permission.

      

   6. Click on Advanced button.

   7. Make sure that the permissions for the domain user apply to This namespace and subnamespaces.

      

   8. Click on OK and close the dialogs.

3. Restart WMI service

   Note: This step should be performed on each Domain Controller.

   1. Run the Windows Services Manager:

      Go to Start menu - click on Run... - type services.msc - click on OK/press Enter.

   2. Locate the Windows Management Instrumentation service and restart (right-click on the service - click on Restart).

      

4. Configure the user to be used for AD Query in SmartConsole (R80 and higher) / SmartDashboard (R77.30 and lower)

   1. Create an AD user with Distributed COM and Event reading permissions.

   2. Install policy to apply the change.

 

Note - In some setups, the procedure above may not work due to the installed software that impacts the user permissions. In such case, follow the procedure below:

1. Open the privileged Windows Command Prompt (As Administrator).

2. Check whether ThinPrint Diagnostic appears in the list of event publishers using the Windows Events Command Line Utility:

   wevtutil el | findstr /I /C:"ThinPrint Diagnostic"

3. If "ThinPrint Diagnostic" indeed appears on the list of event publishers, then follow these steps:

   1. Download this AD Query Permissions script

   2. Unpack the ZIP archive to extract the PowerShell script file - adq_permissions.ps1

   3. Put the adq_permissions.ps1 in the root of disk C:\ on the Domain Controller machine

   4. Open the privileged Windows Command Prompt (As Administrator)

   5. Run the PowerShell script:

      powershell C:\adq_permissions.ps1 /U=username /C > C:\wevtutil_commands.txt

      Notes:

      • The PowerShell script will print (without changing) the commands to allow read permissions for all Event Log folders.
      • The /C switch prints the commands without executing them in a way that is ready for copy-and-paste to the Command Prompt.
        That way it is possible to verify the commands and then apply them manually.

   6. In the output file C:\wevtutil_commands.txt, find the line for "ThinPrint Diagnostics" (output will be unique in each environment).

      Example of such line:
      wevtutil sl "ThinPrint Diagnostics" /ca:O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0xf0007;;;BA)(A;;0x2;;;SO)(A;;0x2;;;IU)(A;;0x2;;;SU)(A;;0x2;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x1;;;S-1-5-21-2191134797-4201291384-1465959234-1108)

   7. Copy the entire command "wevtutil sl ..." for "ThinPrint Diagnostics" from the C:\wevtutil_commands.txt file, paste it in the Windows Command Prompt and press Enter.

      Important Note: The should not be any prompt/output.

   8. On the Identity Awareness Gateway, re-initiate the credentials for the user:

      [Expert@HostName:0]# adlog a control reconf