Permission Required when an Active Directory User is Not a Member of the Domain Admin Group

The following are the permissions required when an Active Directory user is not part of the Domain Admin group but of the Domain Users group:

 • Required Registry Changes

 • Permissions to Use DCOM on the Domain Controller

 • Permissions to the WMI Root\CIMv2 Name Space

 • Access to Read the Security Event Log of the Active Directory Domain Controller

These permissions are valid for all the following Active Directory versions:

 • Windows 2003

 • Windows 2003R2

 • Windows 2008

 • Windows 2008 R2

 • Windows 2012

Required Registry Changes

For the Cisco CDA to work with a Domain User, certain registry keys should be added manually. The changes are described in the following registry script. The Active Directory admin can also copy and paste this into a text file with a .reg extension and double click it to make the registry changes. For adding registry keys as described below, the user must be an owner of the root key.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}]

"AppID"="{76A64158-CB41-11D1-8B02-00600806D9B6}"

[HKEY_CLASSES_ROOT\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6}]

"DllSurrogate"=" "

Make sure that you include two spaces in the value of the key “DllSurrogate”.

You should keep the empty lines as shown in the script above, including an empty line at the end of the file.

Permissions to Use DCOM on the Domain Controller

The Active Directory user must have permissions to use DCOM (remote COM) on the Domain Controller. You can do this by using the dcomcnfg tool.

 1. Run the dcomcnfg tool from the command line.

 2. Expand Component Services.

 3. Expand Computers and click on My Computer.

 4. Select Action from the menu bar, click on properties and click on COM Security.

 5. Make sure that the CDA account for both Access and Launch has Allow permissions. The Active Directory user should be added to all the four options (Edit Limits and Edit Default for both Access Permissions and Launch and Activation Permissions). See Figure 2-2.

 6. Allow all Local and Remote access for both Access Permissions and Launch and Activation Permissions.

Figure 2-2 My Computer Properties

 

Figure 2-3 Local and Remote Access for Access Permissions

 

Figure 2-4 Local and Remote Access for Launch and Activation Permissions

 

Permissions to the WMI Root\CIMv2 Name Space

The Active Directory users do not have the Execute Methods and Remote Enable permissions by default. These can be granted by using the wmimgmt.msc MMC console.

 1. Click Start > Run and type wmimgmt.msc.

 2. Right-click WMI Control and click Properties.

 3. Under the Security tab expand Root and choose CIMV2.

 4. Click Security.

 5. Add the Active Directory user and give the required permissions as shown in Figure 2-5

 

Figure 2-5 Required Permissions for WMI Root\CIMv2 Name Space

Access to Read the Security Event Log of the Active Directory Domain Controller

On Windows 2008 and later, this can be done by adding the user to a group called Event Log Readers.

On all older versions of Windows, this can be done by editing a registry key in the following way:

 1. Find the SID for the account in order to delegate access to the Security event logs.

 2. Use the following command from the command line, as shown in Figure 2-6 to list all the SID accounts:

wmic useraccount get name,sid

You can also use the following for a specific username and domain:

wmic useraccount where name=“cdaUser” get domain,name,sid

 3. Find the SID open Registry Editor and browse to the following location:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Eventlog

 4. Click on Security and double click CustomDS. See Figure 2-7.

For example, to allow read access to the cda_agent account (SID - S-1-5-21-1742827456-3351963980-3809373604-1107), enter (A;;0x1;;;S-1-5-21-1742827456-3351963980-3809373604-1107)

 5. Restart the WMI service on the DC. You can restart the WMI services in the following two ways:

a. Run the following command from the CLI,

net stop winmgmt

net start winmgmt.

b. Run Services.msc (This opens the Windows Services Management window)

In the Windows Services Management window, locate “Windows Management Instrumentation” service, right click and select Restart.

 

Figure 2-6 List All the SID Accounts

Figure 2-7 Edit CustomSD String