Access for Privileged Analysis

The optional Privileged Analysis feature requires administrative privileges. You must assign permissions for the service account that Tenable Identity Exposure uses.

For more information, see Privileged Analysis.

Note: You must assign permissions on each domain where you enable Privileged Analysis.
Requirement: To assign permissions, you need an account with Domain Admins rights or equivalent.

  • In the domain controller's command-line interface, run the following command to add both permissions:

    Copy 
    dsacls "<__DOMAIN_ROOT__>"  /g "<__SERVICE_ACCOUNT__>:CA;Replicating Directory Changes" "<__SERVICE_ACCOUNT__>:CA;Replicating Directory Changes All"

    • Where:

  • <__DOMAIN_ROOT__> refers to the Distinguished Name of the root of the domain. Example: “DC=<DOMAIN>,DC=<TLD>”

  • <__SERVICE_ACCOUNT__> refers to the service account that Tenable Identity Exposure uses. Example: “DOMAIN\tenablead”.

  1. From the Start menu in Windows, open Active Directory Users and Computers.

  2. From the View menu, select Advanced Features.

  3. Right-click on the domain root and select Properties.

    The domain root's properties pane opens.

  4. Click the Security tab and click Add.

  5. Locate the Tenable Identity Exposure service account:

    Note: in a forest with multiple domains environment, the service account may be in a different Active Directory domain.

  6. Scroll down the list and deselect all permissions set by default.

  7. In the Allow column, select permissions for both Replicating Directory Changes and Replicating Directory Changes All.

  8. Click OK.

Important Notes

Tenable Identity Exposure only requires one service account per forest, so when you assign permissions in a domain you may need to search for the service account from another domain.
You must assign additional permissions at the domain root level. The Active Directory does not support permissions assigned to an organizational unit or a specific user — for example to restrict Privileged Analysis to the OU or user — and therefore these do not have any effect.
These permissions grant the Tenable Identity Exposure service account much more power over the Active Directory domain. You must then consider it as a privileged account (Tier 0) and protect it as similarly as a domain administrator account. For the complete procedure, see Protecting Service Accounts.