We are investigating lower the permissions of our IDR service account since you can now collect DC security events directly from the Insight Agent. However, I was reviewing the documentation for Microsoft DNS/DHCP, and Rapid7 recommends Domain Admin privileges for collection via the native service logs. Has anyone tried using a regular domain account for this?
Hi @michael DNS and DHCP are directory watcher event sources, in order to set this up correctly the service account needs read access to the directories over a network share, it does not require domain admin permissions.
Excellent. Rapid7 may want to modify the Microsft DHCP/DNS documentation as it recommends Domain Admin permissions.