Access to AD Objects or Containers

Required User Role: Active Directory Domain Administrator

Note: This section only applies for a Tenable Identity Exposure license for the Indicator of Exposure module.

Tenable Identity Exposure does not require administrative privileges to achieve its security monitoring.

This approach relies on the ability of the user account that Tenable Identity Exposure uses to read all Active Directory objects stored in a domain (including user accounts, organizational units, groups, etc.).

By default, most objects have a read access for the group Domain Users that the Tenable Identity Exposure service account uses. However, you must manually configure some containers to allow read access for the Tenable Identity Exposure user account.

The following table details the Active Directory objects and containers that require manual configuration for read access on each domain that Tenable Identity Exposure monitors.

Location of the Container

Description

CN=Deleted Objects,DC=<DOMAIN>,DC=<TLD>

A container that hosts deleted objects.

CN=Password Settings Container,CN=System, DC=<DOMAIN>,DC=<TLD>

(Optional) A container that hosts Password Settings Objects.

To grant access to AD objects and containers:

  • In the domain controller's PowerShell console, run the following commands to grant access to Active Directory objects or containers:

    Note: You must run these commands on each domain that Tenable Identity Exposure monitors.
    Note: When you use the takeownership command, it re-assigns ownership of a container. This allows the current user to modify permissions that were previously too restrictive.
    If the current user belongs to the Tenable-recommended groups, like Domain Admins or Enterprise Admins, one of these groups will become the new owner. This is considered a secure ownership assignment.
    However, if the user is not in one of these groups, the user account itself becomes the new owner. This is not a recommended practice, and you'll have to manually reset the ownership to a more secure group.

    If the current user belongs to the recommended groups, like Domain Admins or Enterprise Admins, one of these groups will become the new owner. This is considered a secure ownership assignment.

    However, if the user is *not* in one of these groups, the user account itself becomes the new owner. This is not a recommended practice, and you'll have to manually reset the ownership to a more secure group.

    Copy
    #Set Service Account
    $serviceAccount = "<SERVICE_ACCOUNT>"

    #Don't Edit after here
    $domain = Get-ADDomain
    @($domain.DeletedObjectsContainer, "CN=Password Settings Container,$($domain.SystemsContainer)") | ForEach-Object {
        & dsacls $_ /takeownership
        & dsacls $_ /g "$($serviceAccount):LCRP" /I:T
    }
    where <__SERVICE_ACCOUNT__> refers to the service account that Tenable Identity Exposure uses.

Alternatively, if PowerShell is not available, you can also execute these commands for each container:

Copy
dsacls "<__CONTAINER__>" /takeownership
dsacls "<__CONTAINER__>" /g <__SERVICE_ACCOUNT__>:LCRP /I:T

where:

  • <__CONTAINER__> refers to the container that requires access.
  • <__SERVICE_ACCOUNT__> refers to the service account that Tenable Identity Exposure uses.