So my first question is: has anyone found a better way to restrict the data collection account? Domain Admin is surely overkill. We have techniques for reigning in DA accounts, but these accounts are like gold and we typically wouldn't ever allow a vendor's software to run with a service account that is a domain administrator because it's breaking every rule in the book. Does anyone have any experience or advice, or have any of you found that you can use more restrictive group memberships to achieve the same level of auditing?
Another question: I notice that Netwrix monitors a lot / all of the AD schema. When you deploy LAPS you extend the schema to create a new attribute "ms-Mcs-AdmPwd". The permission / ACL entry is added for OUs (under "AdmPwdExtendedRights"), and is granted by default to Domain Administrators. What this means is that the local password for Administrator on each domain joined workstation will be stored in ms-Mcs-AdmPwd. Access to this field is granted to any account that has the AdmPwdExtendedRights permission. So, depending on your LAPS policy, the workstation local Administrator account password is reset by the domain every "x" number of days. When that happens, the schema object ms-Mcs-AdmPwd is updated for that acocunt (the computer account). it is done in plain text, but secured in AD such that only accounts with AdmPwdExtendedRights can actually read it. Well, that includes the Netwrix account. Therefore, when ms-Mcs-AdmPwd is changed, Netwrix sees this and alerts......and of course.....the best part is that the new local Administrator password for the machine is included in the email alert!
Now, I am wondering if I can simply add ms-Mcs-AdmPwd to the omitproplist.txt file in C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing....and this should stop it from monitoring that object? Or is there another way?
I tried to remove Netwrix from domain administrators group, and then made a change to this object, but I still (strangely) got the alert. So I am curious if maybe I am wrong about how this is working.
At the end of the day, I need to stop Netwrix from emailing us whenever LAPS updates local Administrator passwords on workstations.....and possibly, remove this access entirely to prevent someone from using Netwrix to harvest these credentials themselves. Make sense?
Sorry for the long post.