Access to AD Objects or Containers
Tenable Identity Exposure does not require administrative privileges to achieve its security monitoring.
This approach relies on the ability of the user account that Tenable Identity Exposure uses to read all Active Directory objects stored in a domain (including user accounts, organizational units, groups, etc.).
By default, most objects have a read access for the group Domain Users that the Tenable Identity Exposure service account uses. However, you must manually configure some containers to allow read access for the Tenable Identity Exposure user account.
The following table details the Active Directory objects and containers that require manual configuration for read access on each domain that Tenable Identity Exposure monitors.
Location of the Container |
Description |
---|---|
CN=Deleted Objects,DC=<DOMAIN>,DC=<TLD> |
A container that hosts deleted objects. |
CN=Password Settings Container,CN=System, DC=<DOMAIN>,DC=<TLD> |
(Optional) A container that hosts Password Strategy Objects. |
To grant access to AD objects and containers:
-
In the domain controller's command line interface, run the following command to grant access to Active Directory objects or containers:
Note: You must run this command on each domain that Tenable Identity Exposure monitors.Copydsacls "<__CONTAINER__>" /takeownership
dsacls "<__CONTAINER__>" /g <__SERVICE_ACCOUNT__>:LCRP /I:Twhere:
- <__CONTAINER__> refers to the container that requires access.
-
<__SERVICE_ACCOUNT__> refers to the service account that Tenable Identity Exposure uses.