From ddcf6bddb9d810c9cba2f707d9a663fb70b42358 Mon Sep 17 00:00:00 2001 From: Michael Burrofato Date: Tue, 14 Oct 2025 09:42:04 -0400 Subject: [PATCH 1/3] Spike Story 404910: Update Documentation for LPA for AD_DSRM and AD_TimeSync jobs --- .../activedirectory/activedirectory/access.md | 8 +++++++- .../12.0/requirements/activedirectory/target/access.md | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md b/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md index e77af39406..3bd5ad9788 100644 --- a/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md +++ b/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md @@ -182,8 +182,11 @@ While the Registry Data Collector typically requires Domain Administrator permis a domain controller, that level of access is not required to run the 5.Domains > 0.Collection > AD_DSRM Job. The minimum requirements for running this job are: -- Requires read access to the following Registry key and its children: +- Requires read access to the following Registry key and its children: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg + +Alternatively, granting access to the Server Operators and Network Configuration Operators groups also allows read-only access to the Lsa and W32Time keys, respectively, just requiring access added to the winreg key **AD_TimeSync Job Permissions** @@ -193,6 +196,9 @@ AD_TimeSync Job. The minimum requirements for running this job are: - Requires Read access to the following Registry keys and its children: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg + +Alternatively, granting access to the Server Operators and Network Configuration Operators groups also allows read-only access to the Lsa and W32Time keys, respectively, just requiring access added to the winreg key **AD_DomainInfo Job Permissions** diff --git a/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md b/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md index ac83abd8b5..2954bf3461 100644 --- a/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md +++ b/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md @@ -182,8 +182,11 @@ While the Registry Data Collector typically requires Domain Administrator permis a domain controller, that level of access is not required to run the 5.Domains > 0.Collection > AD_DSRM Job. The minimum requirements for running this job are: -- Requires read access to the following Registry key and its children: +- Requires read access to the following Registry key and its children: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg + +Alternatively, granting access to the Server Operators and Network Configuration Operators groups also allows read-only access to the Lsa and W32Time keys, respectively, just requiring access added to the winreg key **AD_TimeSync Job Permissions** @@ -193,6 +196,9 @@ AD_TimeSync Job. The minimum requirements for running this job are: - Requires Read access to the following Registry keys and its children: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg + +Alternatively, granting access to the Server Operators and Network Configuration Operators groups also allows read-only access to the Lsa and W32Time keys, respectively, just requiring access added to the winreg key **AD_DomainInfo Job Permissions** From 5c5746ff9ee5252c7f23eb5dc13e73445f5aeaac Mon Sep 17 00:00:00 2001 From: Michael Burrofato Date: Tue, 14 Oct 2025 09:55:30 -0400 Subject: [PATCH 2/3] Spike Story 404910: Update Documentation for LPA for AD_DSRM and AD_TimeSync jobs --- .../requirements/activedirectory/activedirectory/access.md | 4 ++-- .../12.0/requirements/activedirectory/target/access.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md b/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md index 3bd5ad9788..11113ded48 100644 --- a/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md +++ b/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md @@ -186,7 +186,7 @@ AD_DSRM Job. The minimum requirements for running this job are: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg -Alternatively, granting access to the Server Operators and Network Configuration Operators groups also allows read-only access to the Lsa and W32Time keys, respectively, just requiring access added to the winreg key +Alternatively, granting access to the Server Operators group also allows read-only access to the Lsa key, respectively, just requiring access added to the winreg key. **AD_TimeSync Job Permissions** @@ -198,7 +198,7 @@ AD_TimeSync Job. The minimum requirements for running this job are: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg -Alternatively, granting access to the Server Operators and Network Configuration Operators groups also allows read-only access to the Lsa and W32Time keys, respectively, just requiring access added to the winreg key +Alternatively, granting access to the Network Configuration Operators group also allows read-only access to the W32Time key, just requiring access added to the winreg key. **AD_DomainInfo Job Permissions** diff --git a/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md b/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md index 2954bf3461..5c4d833dd3 100644 --- a/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md +++ b/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md @@ -186,7 +186,7 @@ AD_DSRM Job. The minimum requirements for running this job are: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg -Alternatively, granting access to the Server Operators and Network Configuration Operators groups also allows read-only access to the Lsa and W32Time keys, respectively, just requiring access added to the winreg key +Alternatively, granting access to the Server Operators group also allows read-only access to the Lsa key, respectively, just requiring access added to the winreg key. **AD_TimeSync Job Permissions** @@ -198,7 +198,7 @@ AD_TimeSync Job. The minimum requirements for running this job are: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg -Alternatively, granting access to the Server Operators and Network Configuration Operators groups also allows read-only access to the Lsa and W32Time keys, respectively, just requiring access added to the winreg key +Alternatively, granting access to the Network Configuration Operators group also allows read-only access to the W32Time key, just requiring access added to the winreg key. **AD_DomainInfo Job Permissions** From ff90304ca21dae64209272593a2fd6a7f2277735 Mon Sep 17 00:00:00 2001 From: Michael Burrofato Date: Tue, 14 Oct 2025 09:59:07 -0400 Subject: [PATCH 3/3] Spike Story 404910: Update Documentation for LPA for AD_DSRM and AD_TimeSync jobs --- .../11.6/requirements/activedirectory/activedirectory/access.md | 2 +- .../12.0/requirements/activedirectory/target/access.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md b/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md index 11113ded48..e720157b49 100644 --- a/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md +++ b/docs/accessanalyzer/11.6/requirements/activedirectory/activedirectory/access.md @@ -186,7 +186,7 @@ AD_DSRM Job. The minimum requirements for running this job are: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg -Alternatively, granting access to the Server Operators group also allows read-only access to the Lsa key, respectively, just requiring access added to the winreg key. +Alternatively, granting access to the Server Operators group also allows read-only access to the Lsa key, just requiring access added to the winreg key. **AD_TimeSync Job Permissions** diff --git a/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md b/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md index 5c4d833dd3..950ed06056 100644 --- a/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md +++ b/docs/accessanalyzer/12.0/requirements/activedirectory/target/access.md @@ -186,7 +186,7 @@ AD_DSRM Job. The minimum requirements for running this job are: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg -Alternatively, granting access to the Server Operators group also allows read-only access to the Lsa key, respectively, just requiring access added to the winreg key. +Alternatively, granting access to the Server Operators group also allows read-only access to the Lsa key, just requiring access added to the winreg key. **AD_TimeSync Job Permissions**