Skip to content

Commit fd3c6aa

Browse files
MburrofatoMburrofato
authored
404910 (#268)
* Spike Story 404910: Update Documentation for LPA for AD_DSRM and AD_TimeSync jobs
1 parent 0df25c6 commit fd3c6aa

File tree

2 files changed

+14
-2
lines changed
  • docs/accessanalyzer
    • 11.6/requirements/activedirectory/activedirectory
    • 12.0/requirements/activedirectory/target

2 files changed

+14
-2
lines changed

docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -182,8 +182,11 @@ While the Registry Data Collector typically requires Domain Administrator permis
182182
a domain controller, that level of access is not required to run the 5.Domains > 0.Collection >
183183
AD_DSRM Job. The minimum requirements for running this job are:
184184

185-
- Requires read access to the following Registry key and its children:
185+
- Requires read access to the following Registry key and its children:
186186
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
187+
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
188+
189+
Alternatively, granting access to the Server Operators group also allows read-only access to the Lsa key, just requiring access added to the winreg key.
187190

188191
**AD_TimeSync Job Permissions**
189192

@@ -193,6 +196,9 @@ AD_TimeSync Job. The minimum requirements for running this job are:
193196

194197
- Requires Read access to the following Registry keys and its children:
195198
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time
199+
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
200+
201+
Alternatively, granting access to the Network Configuration Operators group also allows read-only access to the W32Time key, just requiring access added to the winreg key.
196202

197203
**AD_DomainInfo Job Permissions**
198204

docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -182,8 +182,11 @@ While the Registry Data Collector typically requires Domain Administrator permis
182182
a domain controller, that level of access is not required to run the 5.Domains > 0.Collection >
183183
AD_DSRM Job. The minimum requirements for running this job are:
184184

185-
- Requires read access to the following Registry key and its children:
185+
- Requires read access to the following Registry key and its children:
186186
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
187+
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
188+
189+
Alternatively, granting access to the Server Operators group also allows read-only access to the Lsa key, just requiring access added to the winreg key.
187190

188191
**AD_TimeSync Job Permissions**
189192

@@ -193,6 +196,9 @@ AD_TimeSync Job. The minimum requirements for running this job are:
193196

194197
- Requires Read access to the following Registry keys and its children:
195198
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time
199+
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
200+
201+
Alternatively, granting access to the Network Configuration Operators group also allows read-only access to the W32Time key, just requiring access added to the winreg key.
196202

197203
**AD_DomainInfo Job Permissions**
198204

0 commit comments

Comments
 (0)