Minimum Permissions Required for TruGrid Service Account (TG-ServiceAccountv2)
Minimum Permissions required for the TruGrid TG-ServiceAccountv2 Active Directory account
On Domain Member Servers running TruGrid Sentry:
a. It must either be a member of the Local ADMINISTRATORS group or must be granted “Log on as a Service” rights. This is required to run the “TruGrid Sentry” and “TruGrid Health Monitoring” services.
b. It must have “Full Control” permissions to C:\Program Files\TruGrid folder and sub folders. This is required to write and read logs, and auto update the TruGrid Sentry software if the auto update feature is used on the TruGrid dashboard
c. It must have “Full Control” permissions to the registry key “HKEY_LOCAL_MACHINE\SOFTWARE”. This is required to write and read registry data in “HKEY_LOCAL_MACHINE\SOFTWARE\TruGrid”, and auto update the TruGrid Sentry software if the auto update feature is on from the TruGrid dashboard
On RDS Servers when RemoteApp is enabled on TruGrid dashboard:
a. It must be a member of the Local ADMINISTRATORS group, or it must be granted WinRM rights on RDS servers used for RemoteApp. This is required for enumerating installed applications on RDS servers
b. It must be a member of the Local ADMINISTRATORS group, or it must be granted rights to run PowerShell scripts on RDS servers used for RemoteApp. This is required for enumerating installed applications on RDS servers and enabling required WMI rules
In Active Directory (when TruGrid Sentry is not installed on a Domain Controller):
a. If “Active Directory Federation” is used between Primary and Tenant domains on TruGrid dashboard, it must be delegated control to create and delete users and manage group membership in Tenant AD. This is required for Shadow User creation used for Active Directory Federation
b. If “Password Management” is enabled on TruGrid dashboard, or a user account is designated “User Must Change Password at Next Login”, it must be delegated rights to “Reset Password” and “Change Password”
On Domain Member Servers running TruGrid Sentry:
a. It must either be a member of the Local ADMINISTRATORS group or must be granted “Log on as a Service” rights. This is required to run the “TruGrid Sentry” and “TruGrid Health Monitoring” services.
b. It must have “Full Control” permissions to C:\Program Files\TruGrid folder and sub folders. This is required to write and read logs, and auto update the TruGrid Sentry software if the auto update feature is used on the TruGrid dashboard
c. It must have “Full Control” permissions to the registry key “HKEY_LOCAL_MACHINE\SOFTWARE”. This is required to write and read registry data in “HKEY_LOCAL_MACHINE\SOFTWARE\TruGrid”, and auto update the TruGrid Sentry software if the auto update feature is on from the TruGrid dashboard
On RDS Servers when RemoteApp is enabled on TruGrid dashboard:
a. It must be a member of the Local ADMINISTRATORS group, or it must be granted WinRM rights on RDS servers used for RemoteApp. This is required for enumerating installed applications on RDS servers
b. It must be a member of the Local ADMINISTRATORS group, or it must be granted rights to run PowerShell scripts on RDS servers used for RemoteApp. This is required for enumerating installed applications on RDS servers and enabling required WMI rules
In Active Directory (when TruGrid Sentry is not installed on a Domain Controller):
a. If “Active Directory Federation” is used between Primary and Tenant domains on TruGrid dashboard, it must be delegated control to create and delete users and manage group membership in Tenant AD. This is required for Shadow User creation used for Active Directory Federation
b. If “Password Management” is enabled on TruGrid dashboard, or a user account is designated “User Must Change Password at Next Login”, it must be delegated rights to “Reset Password” and “Change Password”
Updated on: 26/09/2024
Thank you!