Permission Required when an Active Directory User is Not a Member of the Domain Admin Group
The following are the permissions required when an Active Directory user is not part of the Domain Admin group but of the Domain Users group:
• Permissions to Use DCOM on the Domain Controller
• Permissions to the WMI Root\CIMv2 Name Space
• Access to Read the Security Event Log of the Active Directory Domain Controller
These permissions are valid for all the following Active Directory versions:
For the Cisco CDA to work with a Domain User, certain registry keys should be added manually. The changes are described in the following registry script. The Active Directory admin can also copy and paste this into a text file with a .reg extension and double click it to make the registry changes. For adding registry keys as described below, the user must be an owner of the root key.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}]
"AppID"="{76A64158-CB41-11D1-8B02-00600806D9B6}"
[HKEY_CLASSES_ROOT\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6}]
Make sure that you include two spaces in the value of the key “DllSurrogate”.
You should keep the empty lines as shown in the script above, including an empty line at the end of the file.
Permissions to Use DCOM on the Domain Controller
The Active Directory user must have permissions to use DCOM (remote COM) on the Domain Controller. You can do this by using the dcomcnfg tool.
1. Run the dcomcnfg tool from the command line.
3. Expand Computers and click on My Computer.
4. Select Action from the menu bar, click on properties and click on COM Security.
5. Make sure that the CDA account for both Access and Launch has Allow permissions. The Active Directory user should be added to all the four options (Edit Limits and Edit Default for both Access Permissions and Launch and Activation Permissions). See Figure 2-2.
6. Allow all Local and Remote access for both Access Permissions and Launch and Activation Permissions.
Figure 2-2 My Computer Properties
Figure 2-3 Local and Remote Access for Access Permissions
Figure 2-4 Local and Remote Access for Launch and Activation Permissions
Permissions to the WMI Root\CIMv2 Name Space
The Active Directory users do not have the Execute Methods and Remote Enable permissions by default. These can be granted by using the wmimgmt.msc MMC console.
1. Click Start > Run and type wmimgmt.msc.
2. Right-click WMI Control and click Properties.
3. Under the Security tab expand Root and choose CIMV2.
5. Add the Active Directory user and give the required permissions as shown in Figure 2-5
Figure 2-5 Required Permissions for WMI Root\CIMv2 Name Space
Access to Read the Security Event Log of the Active Directory Domain Controller
On Windows 2008 and later, this can be done by adding the user to a group called Event Log Readers.
On all older versions of Windows, this can be done by editing a registry key in the following way:
1. Find the SID for the account in order to delegate access to the Security event logs.
2. Use the following command from the command line, as shown in Figure 2-6 to list all the SID accounts:
You can also use the following for a specific username and domain:
wmic useraccount where name=“cdaUser” get domain,name,sid
3. Find the SID open Registry Editor and browse to the following location:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Eventlog
4. Click on Security and double click CustomDS. See Figure 2-7.
For example, to allow read access to the cda_agent account (SID - S-1-5-21-1742827456-3351963980-3809373604-1107), enter (A;;0x1;;;S-1-5-21-1742827456-3351963980-3809373604-1107)
5. Restart the WMI service on the DC. You can restart the WMI services in the following two ways:
a. Run the following command from the CLI,
b. Run Services.msc (This opens the Windows Services Management window)
In the Windows Services Management window, locate “Windows Management Instrumentation” service, right click and select Restart.
Figure 2-6 List All the SID Accounts
Figure 2-7 Edit CustomSD String