Limit Permissions for Inactive User Tracker and Password Expiration Notifier

We use NA 10.7, NPPE 11, and Ping Castle 3.3. We also leverage Inactive User Tracker and Password Expiration Notifier.

Ping Castle has put us on a quest to remove excessive rights from as many things as possible. We are making great progress, but these two tools are being counterproductive from that standpoint.

Password Expiration Notifier claims it only needs domain user rights, but we cannot get it to work with DU only. If we assign the service account that we are using with it DA privileges it of course works.

The Inactive User Tracker is a bit better; we can get it to run with the service account as a member of Account Operators, but Ping Castle doesn’t like that and knocks down our score as a result.

So, is there some sort of list that shows the specific rights/roles these tools require so we could create a custom group and assign those rights to the necessary OUs, which would negate the need to use over privileged accounts with these utils?

Appreciate any thoughts that folks have.

Hello ‘Westdave’ and welcome to the Netwrix Community! I’m one of the managers in our Technical Support Department, and I’d be happy to help with the issues you’re experiencing with Password Expiration Notifier (PEN) and Inactive User Tracker (IUT).

For PEN, the service account needs permission to read user attributes in Active Directory. One thing that’s not clearly noted in the documentation is that the account may also need to be a local administrator on the server where Netwrix Auditor is installed. If you haven’t already tried that, I recommend doing so to see if it resolves the issue.

If that doesn’t work, could you provide more details about what’s happening? For example, are you unable to save the plan, is the plan not running, or are you receiving a specific error?

As for IUT, our documentation is correct in stating that the service account should be a member of the Domain Admins group. If you’re seeing it run with just Account Operators, that’s likely because you’re not using any of the built-in actions like moving accounts to a different OU, disabling them, etc. If you’re trying to reduce permissions further, you could try making the account a local admin on the Auditor server, though full functionality may still require elevated domain permissions.

Let me know how it goes with PEN. If adding the account to local administrators doesn’t solve the issue, I’d be happy to review a log file to help troubleshoot further.

Michael Purdin
Technical Support Manager

2 Likes