Performing the initial installation of Netwrix Auditor, I was informed that it is best to run the primary account as a Domain Admin for initial installation ease and the ability to compress logs. Would like to know if you use a CyberArk managed domain admin account for Netwrix primary account rather than a standard domain admin account or gMSA non domain account.
My biggest complaint about Netwrix was the preference for domain admin usage. It’s bad practice in today’s world, I’ve wanted to undo it for years now. gMSA is not supported for all modules, though, and I’d rather not use it at all rather than have complication of still using it in some places.
I made post here about exchange hybrid, for example
Jeff,
Welcome to the Netwrix Community!
At this time, Netwrix Auditor does not support using a CyberArk-managed Domain Admin account. However, we do offer integration with Netwrix Privilege Secure, which allows you to use a managed account through that solution.
Regarding domain admin usage, there are definitely advantages to using a Domain Admin account, though it’s not strictly required. A gMSA account is an excellent option for managing permissions securely, though it’s true that a few collectors currently don’t support gMSA accounts.
Most collectors only require local administrator rights on the servers they monitor. For instance:
- File Server and Windows Server auditing require only local admin permissions.
- SQL Server auditing doesn’t require server admin rights—just the necessary access within the SQL instance being audited.
The collectors where using a Domain Admin account makes the most sense are Active Directory, Group Policy, and Logon Activity. Below are the two main benefits of using a Domain Admin account with these collectors:
- Compression Service – This feature allows much of the data processing to occur on the target servers before the information is transferred to the Auditor server, reducing server load. The benefit depends on your environment size:
- For 10 or fewer Domain Controllers, the impact is minimal.
- For more than 10, you may notice performance improvements—but adding additional resources to the Auditor server can achieve similar results if you choose not to use compression.
- Automatically Adjust Audit Settings – This is the biggest advantage. While it’s possible to manually configure and maintain audit settings (and we even provide a tool to help with that), automatic adjustment ensures reliability. If a bad actor, another application, or an unaware admin modifies required audit settings, Netwrix Auditor can automatically detect and restore them—helping you avoid missing logons or critical changes.
It’s important to note that Netwrix Auditor never disables unnecessary audit settings. However, it may generate a warning about them to help prevent event log overflow. If you have valid reasons for those extra settings, the warning can safely be omitted.
If you prefer not to use a Domain Admin account, I recommend configuring an alert on your Group Policy Monitoring Plan. This will notify you if the GPO containing your Netwrix Auditor audit settings is modified. While this approach might still result in occasional missed logons or changes, it provides visibility so you can quickly reapply the correct audit settings.
If you have any follow-up questions or would like clarification on anything I mentioned, please feel free to reply here. I’ll be happy to help further!
Michael Purdin
Manager, Technical Support Engineering
2 Likes