Installing FSSO without using an administrator account

Chapter 3 Authentication for FortiOS 5.0 : Agent-based FSSO : Agent installation : DC agent installation : Installing FSSO without using an administrator account

Normally when installing services in Windows, it is best to use the Domain Admin account, as stated earlier. This ensures installation goes smoothly and uninterrupted, and when using the FSSO agent there will be no permissions issues. However, it is possible to install FSSO with a non-admin account in Windows 2003 or 2008 AD.


	The following instructions for Windows 2003 are specific to the event log polling mode only. Do not use this procedure with other FSSO configurations.

Windows 2003

There are two methods in Windows 2003 AD for installing FSSO without an admin account — add the non-admin user to the security log list, and use a non-admin account with read-only permissions. A problem with the first method is that full rights (read, write, and clear) are provided to the event log. This can be a problem when audits require limited or no write access to logs. In those situations, the non-admin account with read-only permissions is the solution.

To add the non-admin user account to the Windows 2003 security log list

1. Go to Default Domain Controller Security Settings > Security Settings > User Rights Assignment > Manage auditing and security log.

2. Add the user account to this list.

3. Repeat these steps on every domain controller in Windows 2003 AD.

4. A reboot is required.

To use a non-admin account with read-only permissions to install FSSO on Windows 2003

The following procedure provides the user account specified with read only access to the Windows 2003 AD Domain Controller Security Event Log which allows FSSO to function.

1. Find out the SID of the account you intend to use.

Tools for this can be downloaded for free from http://technet.microsoft.com/en-us/sysinternals/bb897417.

2. Then create the permission string. For example:

(A;;0x1;;;S-1-5-21-4136056096-764329382-1249792191-1107)

A means Allow,

0x1 means Read, and

S-1-5-21-4136056096-764329382-1249792191-1107 is the SID.

3. Then, append it to the registry key

4. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD.

5. Repeat these steps on every domain controller in Windows 2003 AD.

6. A reboot is required.

Windows 2008

In Windows 2008 AD, if you do not want to use the Domain Admin account then the user account that starts the FSSO agent needs to be added to the Event Log Readers group.

When the user is added to the Event Log Readers group, that user is now allowed to have read only access to the event log and this is the minimal rights required for FSSO to work.