Articles in this section

See more

Required Permissions for the OpenDNS_Connector User

Avatar
Tom Allen
  • Updated
Follow

 



Overview

 

The Windows Connector script normally sets the required permissions for the OpenDNS_Connector user. However, in strict AD environments, some administrators may not be permitted to run VB scripts on their Domain Controllers, and thus will need to manually replicate the actions of the Windows Configuration script. This article details what permissions are required to be set on the DC. 

Note: For the purpose of this article, OpenDNS_Connector is assumed to be the sAMAccountName of your Connector account in AD. If you are using a custom name instead, follow the same instructions with the sAMAccountName of your connector account instead of OpenDNS_Connector. 

This guide is split into two parts: a basic guide which resolves most cases and a complete guide to possible solutions to the Access Denied error. 



Basic problem resolution instructions

 

Problem: You notice that an AD Connector is showing an alert or error state in the dashboard, and the message listed when you hover over the alert is Access Denied to one of the registered AD servers.

If one of the alerts shows Access Denied to one of the registered AD servers, this usually indicates the OpenDNS_Connector user has insufficient permissions to operate.

Please ensure that the OpenDNS_Connector user is a member of the following AD Groups:

  • Enterprise Read-only Domain Controllers
  • Event Log Readers (only if the deployment includes Virtual Appliances)
  • Distributed COM users (only if the deployment includes Virtual Appliances)

The typical solution is to make sure that the required permissions are setup correctly on the AD server (DC) in question. Check these settings on the DC itself. 

 

 To verify WMI Permissions (This is required only if the deployment includes Virtual Appliances)

1. Click Start > Run > wmimgmt.msc (Windows Management Infrastructure Control console)
2. Right-click on WMI Control > click Properties > Security tab
3. Select Root > CIMV2 namespace and click the Security button
4. Add the OpenDNS_Connector user and Allow the following permissions:
Enable Account, Remote Enable and Read Security

 

To verify DCOM Permissions (This is required only if the deployment includes Virtual Appliances)

1. From a command line run dcomcnfg
2. Console Root > Component Services > Computers
3. Right-click on My Computer and select Properties.
4. From My Computer Properties select COM Security tab.
5. In "Launch and Activation Permissions" area click "Edit Limits".
6. Add the OpenDNS_Connector user and allow Remote Launch and Remote Activation permissions.
7. Click OK to confirm and close My Computer Properties. 

 

IMPORTANT!

If DCOM changes are made, a reboot of that DC is required for the changes to take effect.

 
If after confirming/changing the aforementioned settings, you are still seeing "Access Denied" messages in the Dashboard, please read on to the next section or send Support the Connector logs as outlined in this article: Provide Support with AD Connector Logs
 
 

IMPORTANT:

If you are deploying the AD Connector with Virtual Appliances, these permissions must be set on all Domain Controllers in the domain which the Connector will be communicating with.

 

Windows Event Log Collector

If your AD Connector is configured to read login events from a centralized Windows Event Log Collector instead of from multiple domain controllers, ensure that the connector is deployed on a server belonging to the same domain as the Windows Event Log Collector. 
  • The connector account (OpenDNS_Connector or custom account as configured) should be added to the local Event Log Readers group on the Windows Event Log Collector machine.
  • The inbound firewall rules for Remote Event Log Management need to be enabled on the Windows Event Log Collector machine to allow the connector machine to read the logs. 

RemoteEventLogManagementRules.JPG

This can be done by running the following command on the Event Log Collector: netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes  

Once the permissions are provided, you can reach out to Umbrella support to have the Windows Event Log Collector registered on your dashboard.

 

Complete Topics for Access Denied Resolution

  

In addition to the permissions below, the OpenDNS_Connector user should belong to the "Domain Users" and "Users" groups. You can verify the group membership of the OpenDNS_Connector user with the following command:

dsquery user -samid OpenDNS_Connector | dsget user -memberof -expand

The OpenDNS_Connector performs two primary tasks for which these permissions are needed. First, it pulls LDAP information from Active Directory in order to allow you to create policies based on AD group, and to be able to display AD usernames and group names in the Umbrella Dashboard. The Replicate Directory Changes permission allows this. 

Second, it collects login events from Domain Controllers, passing them to the Virtual Appliances. This allows the Virtual Appliances to create their IP-to-user mappings and thus identify users. All of the permissions below apply to this with the exception of the Replicate Directory Changes permission. These permissions are required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controllers.

These permissions can be set differently depending on the version of Windows Server which your DC is running:

 

Note:

In addition to setting the required permissions for the OpenDNS_Connector user, the Windows Configuration script also registers a DC by issuing API calls to Umbrella. If you will be manually modifying the permissions instead of using the Windows Configuration script, then this registration must also be done manually. Please contact Umbrella Support in order to have this done.

  
 

 

Windows Server 2008, 2012, and 2016

 

Windows Server 2008 and later versions include various groups that, by default, provide most of the permissions we need. However, it is possible that the permissions for these groups can be modified, so please take care to ensure that the groups have the necessary permissions.

 

Replicate Directory Changes

 

This permission allows the OpenDNS_Connector user to query LDAP. This is the required permission typically given with the "Enterprise Read-Only Domain Controllers" group. This provides the Umbrella Dashboard with the information needed to display the names of AD objects, and to determine group memberships. We request the following attributes:

sAMAccountName

userPrincipalName

dn (Distinguished Name)

memberOf

objectGUID

primaryGroupId

primaryGroupToken

userAccountControl

member

from the following objectClasses:

(&(objectCategory=person)(objectClass=user))

(objectClass=organizationalunit)

(objectClass=computer)

(objectClass=group)

The built-in "Enterprise Read-only Domain Controllers" group should provide this permission, and thus the OpenDNS_Connector user should be a member of this group. You can verify the group's permissions or specify the permissions specifically for the OpenDNS_Connector user (if the group above does not supply these permissions) as follows (also discussed here):

  • Open the Active Directory Users and Computers snap-in
  • On the View menu, click Advanced Features.
  • Right-click the domain object, such as "company.com", and then click Properties.
  • On the Security tab, select either "Enterprise Read-only Domain Controllers" or the "OpenDNS_Connector" user.
    • If necessary, you can add the "OpenDNS_Connector" user by clicking "Add".
    • In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
    • Click OK to return to the Properties dialog box.
  • Click to select the Replicating Directory Changes and Read check boxes from the list.
  • Click Apply, and then click OK.
  • Close the snap-in. 
 

Note:

In a Parent/Child domain scenario, the "Enterprise Read-only Domain Controller" only exists in the parent domain. In this case, the permissions should be manually added for the OpenDNS_Connector as shown above.

 

Event Log Readers

 

This change is required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controller. Membership in this group allows the OpenDNS_Connector user to read the logon events from the Event Logs. 

On the Domain Controller machine, in the Windows Advanced Firewall settings ensure that the Inbound rules for Remote Event Log Management (NP-In, RPC and RPC-EPMAP) are allowed. The Umbrella AD Connector may log an error saying "The RPC Server is unavailable" and may not be able to read login events if these rules are not allowed.

 

RemoteEventLogManagementRules.JPG

You can also enable these rules through the following command:
netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes  
 

Remote Admin 

 

Remote Administration is needed to allow WMI connections. This permission is required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controller.

From a Command prompt, please run the following commands:

netsh advfirewall firewall set rule group="remote administration" new enable=yes

netsh advfirewall set currentprofile settings remotemanagement enable

On the Connector machine, in the Windows Advanced Firewall settings ensure that WMI and DCOM In are allowed. Symptom is if the WBEM test works, but the Connector throws an error. These settings may also be configured by command, for example:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

1.jpg

 

Distributed COM

 

This permission is required as part of the WMI connections used for subscribing to logon events. This permission is required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controller.

The "Distributed COM Users" group should provide the necessary permissions, and thus the OpenDNS_Connector user shoudl be a member of this group. You can verify the group's permissions or specify the permissions specifically for the OpenDNS_Connector user as follows:

  • From a command line run dcomcnfg.
  • Console Root > Component Services > Computers.
  • Right-click on ‘My Computer’ and select ‘Properties’.
  • From ‘My Computer Properties’ select ‘COM Security’ tab.
  • In ‘Launch and Activation Permissions’ area click ‘Edit Limits’.
  • On the "Security Limits" tab, select either "Distributed COM Users" or the "OpenDNS_Connector" user.
    • If necessary, you can add the "OpenDNS_Connector" user by clicking "Add".
    • In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
    • Click OK to return to the Properties dialog box.
  • Allow ‘Remote Launch’ and ‘Remote Activation’ permissions.
  • Click OK to confirm and close My Computer Properties. 
 

Note:

Changes to DCOM permissions will require a reboot of the server in order to take effect.

  

Windows Management Instrumentation

 

WMI is used by the Connector to subscribe to logon events from the Domain Controllers. This permission is required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controller.

You can verify or specify the permissions for the OpenDNS_Connector user as follows:

  • Run wmimgmt.msc (Windows Management Infrastructure Control console).
  • Right-click on ‘WMI Control’. Click ‘Properties’ > ‘Security’ tab.
  • Select Root > CIMV2 namespace and click the Security button.
  • Add the OpenDNS_Connector user and Allow the following permissions: ‘Enable Account’‘Remote Enable’ and ‘Read Security’.
  • Click OK to exit each dialog window, then click Save to apply changes. 

 

 

Audit Policy

 

This change is required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controller. The Audit policy defines what events get logged in the Event Log of the Domain Controller. The Connector requires that successful logon events are recorded so that we can use them to map users to their IP addresses.

In normal Windows Server 2008+ environments, the legacy "Audit logon events" setting must be configured as per the above instructions for Server 2003.  This change is required for our Windows Configuration Script to succeed.  To configure the legacy Audit Policy, please see the Windows Server 2003 Audit Policy section.

However, Windows Server 2008 also introduced the Advanced Audit Policy Configuration. While the legacy Windows Audit Policies can still be used, they will be ignored if any of the Advanced Audit Policies are defined. For those interested in more information, the following Microsoft article is an excellent explanation of how the two Audit Policies interact:

Getting the Effective Audit Policy in Windows 7 and 2008 R2

 For the purposes of the Connector, if any Advanced Audit Policies are defined (including ones not related specifically to logon), then the Advanced Audit Policies MUST be used.

The Advanced Audit Policy should be set for all DCs using Group Policy.  Edit the appropriate Group Policy for your DC (typically the "Default Domain Controller Policy"), and go to the following section:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff

In that section, set the following policies to include both "Success" and "Failure" events:

Audit Logon

Audit Logoff

Audit Other Logon/Logoff Events

Please ensure that you update the Group Policy on the DC after making this change. 

When providing this information to OpenDNS Support, please gather the output of the following two commands:

auditpol.exe /get /category:* > DCNAME_auditpol.txt
GPRESULT /H DC_NAME.htm

 

 

Windows Server 2003

 

Many of the required permissions cannot be set automatically in Server 2003. Please ensure that the permissions in each of the following sections are properly set.

 

Remote Admin

 

Remote Administration is needed to allow WMI connections. This permission is required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controller. From a Command prompt, please run the following command:

netsh firewall set service type = remoteadmin mode = enable

On the Connector machine, in the Windows Advanced Firewall settings ensure that WMI and DCOM In are allowed. 

1.jpg

 

Distributed COM

 

This permission is required as part of the WMI connections used for subscribing to logon events. This permission is required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controller. 

The "Distributed COM Users" group should provide the necessary permissions, and thus the OpenDNS_Connector user should be a member of this group. You can verify the group's permissions or specify the permissions specifically for the OpenDNS_Connector user as follows:

  • From a command line run dcomcnfg.
  • Console Root > Component Services > Computers.
  • Right-click on ‘My Computer’ and select ‘Properties’.
  • From ‘My Computer Properties’ select ‘COM Security’ tab.
  • In ‘Launch and Activation Permissions’ area click ‘Edit Limits’.
  • On the "Security Limits" tab, select either "Distributed COM Users" or the "OpenDNS_Connector" user.
    • If necessary, you can add the "OpenDNS_Connector" user by clicking "Add".
    • In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
    • Click OK to return to the Properties dialog box.
  • Allow ‘Remote Launch’ and ‘Remote Activation’ permissions.
  • Click OK to confirm and close My Computer Properties.
 

Note:

Changes to DCOM permissions will require a reboot of the server in order to take effect.

 

Windows Management Instrumentation

 

This permission is required for subscribing to logon events. This permission is required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controller. 

You can verify or specify the permissions for the OpenDNS_Connector user as follows:

  • Run wmimgmt.msc (Windows Management Infrastructure Control console).
  • Right-click on ‘WMI Control’. Click ‘Properties’ > ‘Security’ tab.
  • Select Root > CIMV2 namespace and click the Security button.
  • Add the OpenDNS_Connector user and Allow the following permissions: ‘Enable Account’‘Remote Enable’ and ‘Read Security’.
  • Click OK to exit each dialog window, then click Save to apply changes.
    • ME

 

Manage audit and security log policy

 

This change is required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controller. This group policy allows the OpenDNS_Connector user to read the logon events from the Event Logs. This policy cannot be set automatically by the Windows Configuration script and must thus always be set manually, as per Appendix B of the Active Directory Integration Guide:

Active Directory Integration - Appendix B: Configuring AD Servers on Windows Server 2003 R2

 

Audit Policy

 

This change is required only if the deployment includes Virtual Appliances in the same Umbrella site as the Domain Controller. The Audit policy defines what events get logged in the Event Log of the Domain Controller. The Connector requires that successful logon events are recorded so that we can use them to map users to their IP addresses. Specifically, the "Audit logon events" policy must be set to "Success". This can be verified by running the following command at a Command Prompt:

GPRESULT /z

This policy is defined as a Group Policy Object. To modify it, edit the appropriate Group Policy for your DC (typically the "Default Domain Controller Policy"), and set the following policy to include "Success" events:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events

Please ensure that you update the Group Policy on the DC after making this change.

When providing this information to Umbrella Support, please use the following command instead, and send the resulting HTML file:

GPRESULT /H DC_NAME.htm

where "DC_NAME" is the hostname of your DC.

 

Replicate Directory Changes

 

This permission allows the OpenDNS_Connector user to query LDAP. This is the required permission typically given with the "Enterprise Read-Only Domain Controllers" group. This provides the Umbrella Dashboard with the information needed to display the names of AD objects, and to determine group memberships. We request the following attributes:

sAMAccountName

userPrincipalName

memberOf

objectGUID

primaryGroupId

primaryGroupToken

userAccountControl

member

from the following objectClasses:

(&(objectCategory=person)(objectClass=user))

(objectClass=organizationalunit)

(objectClass=computer)

(objectClass=group)

The built-in "Enterprise Read-only Domain Controllers" group should provide this permission, and thus the OpenDNS_Connector user should be a member of this group. You can verify the group's permissions or specify the permissions specifically for the OpenDNS_Connector user (if the group above does not supply these permissions) as follows (also discussed here):

  • Open the Active Directory Users and Computers snap-in
  • On the View menu, click Advanced Features.
  • Right-click the domain object, such as "company.com", and then click Properties.
  • On the Security tab, select either "Enterprise Read-only Domain Controllers" or the "OpenDNS_Connector" user.
    • If necessary, you can add the "OpenDNS_Connector" user by clicking "Add".
    • In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
    • Click OK to return to the Properties dialog box.
  • Click to select the Replicating Directory Changes and Read check boxes from the list.
  • Click Apply, and then click OK.
  • Close the snap-in. 
 

Note:

In a Parent/Child domain scenario, the "Enterprise Read-only Domain Controller" only exists in the parent domain. In this case, the permissions should be manually added for the OpenDNS_Connector as shown above.

 

Related articles

Comments

0 comments

Article is closed for comments.