| AD
Agent: Overview > Service Account
The
AD Agent runs as a Windows service in a specially-configured account.
The account is normally named dcagent_service, and is created by
an Administrator during setup. The dcagent_service account is a
normal domain account, but it has two special characteristics:
- The dcagent_service
account is granted the "Manage auditing and security log"
privilege (a.k.a. "SeSecurityPrivilege") on the domain.
This allows the AD Agent to scan the domain controller's security
event logs to detect user logon/logoff activity -- something that
is forbidden for ordinary users.
- The dcagent_service
account is a member of the dcagent_services group, which is also
created by the Administrator during setup. This group exists
so that other domain accounts can be permitted to interact with
the AD Agent. For example, if you need to run a particular AD
Agent host in a different service account, you can add that account
to the dcagent_services group so that it can communicate with
the rest of the team.
Related Topics:
Back |
