Phone Lines icon GFI Support Home

Articles in this section

Exinda AD Service Minimum Requirements

Author: Luis Fernandes Updated

Overview

This article provides information regarding the minimum privileges needed for the AD agent for successful connection between Exinda and Active Directory installed on Windows Server.

For the full AD Integration instructions, please refer to the Active Directory Integration how-to guide.

Information

  • The Exinda Active Directory Connector requires .NET Framework 4.0.

  • Logon Auditing must be enabled on the Active Directory server to install the Exinda Active Directory Connector.

  • The WMI service must be started on the Active Directory server and on the server where the Exinda Active Directory Connector is installed.

  • The agent, when installed on a DC, will need access to Windows Logon Auditing - Event Viewer > Windows Logs > Security > Filter Event ID 4624 (4624 is a successful logon; note that 4626 is a failed logon attempt).

  • Default account used under services - Exinda AD service properties is the Local System account.

The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects.

The LocalSystem account has the following privileges:

  • SE_ASSIGNPRIMARYTOKEN_NAME (disabled)

  • SE_AUDIT_NAME (enabled)

  • SE_BACKUP_NAME (disabled)

  • SE_CHANGE_NOTIFY_NAME (enabled)

  • SE_CREATE_GLOBAL_NAME (enabled)

  • SE_CREATE_PAGEFILE_NAME (enabled)

  • SE_CREATE_PERMANENT_NAME (enabled)

  • SE_CREATE_TOKEN_NAME (disabled)

  • SE_DEBUG_NAME (enabled)

  • SE_IMPERSONATE_NAME (enabled)

  • SE_INC_BASE_PRIORITY_NAME (enabled)

  • SE_INCREASE_QUOTA_NAME (disabled)

  • SE_LOAD_DRIVER_NAME (disabled)

  • SE_LOCK_MEMORY_NAME (enabled)

  • SE_MANAGE_VOLUME_NAME (disabled)

  • SE_PROF_SINGLE_PROCESS_NAME (enabled)

  • SE_RESTORE_NAME (disabled)

  • SE_SECURITY_NAME (disabled)

  • SE_SHUTDOWN_NAME (disabled)

  • SE_SYSTEM_ENVIRONMENT_NAME (disabled)

  • SE_SYSTEMTIME_NAME (disabled)

  • SE_TAKE_OWNERSHIP_NAME (disabled)

  • SE_TCB_NAME (enabled)

  • SE_UNDOCK_NAME (disabled)

Important Considerations

  • Ensure port 8015 is open on any firewall between the devices.
  • The account needed when setting AD connector would be an administrator account that can access the Windows Logon Auditing events. Recommended is a Domain Admin account.

    Note: As per Microsoft requirements, you need admin rights to read the event log.

Related articles