Access to AD Objects or Containers

Required User Role: Active Directory Domain Administrator

Tenable Identity Exposure does not require administrative privileges to achieve its security monitoring.

This approach relies on the ability of the user account that Tenable Identity Exposure uses to read all Active Directory objects stored in a domain (including user accounts, organizational units, groups, etc.).

By default, most objects have a read access for the group Domain Users that the Tenable Identity Exposure service account uses. However, you must manually configure some containers to allow read access for the Tenable Identity Exposure user account.

The following table details the Active Directory objects and containers that require manual configuration for read access on each domain that Tenable Identity Exposure monitors.

To grant access to AD objects and containers:

• In the domain controller's PowerShell console, run the following commands to grant access to Active Directory objects or containers:

  Note: You must run these commands on each domain that Tenable Identity Exposure monitors.
  Copy

  #Set Service Account
  $serviceAccount = "<SERVICE_ACCOUNT>"
  
  #Don't Edit after here
  $domain = Get-ADDomain
  @($domain.DeletedObjectsContainer, "CN=Password Settings Container,$($domain.SystemsContainer)") | ForEach-Object {
      & dsacls $_ /takeownership
      & dsacls $_ /g "$($serviceAccount):LCRP" /I:T
  }

  where <__SERVICE_ACCOUNT__> refers to the service account that Tenable Identity Exposure uses.

Alternatively, if PowerShell is not available, you can also execute these commands for each container:

dsacls "<__CONTAINER__>" /takeownership
dsacls "<__CONTAINER__>" /g <__SERVICE_ACCOUNT__>:LCRP /I:T

where:

• <__CONTAINER__> refers to the container that requires access.

• <__SERVICE_ACCOUNT__> refers to the service account that Tenable Identity Exposure uses.