Running Microsoft Active Directory agent as a non-administrator user

You can run the Log File agent as a non-administrator user.

About this task

You can run the monitoring agent for Active Directory as a non-administrator user; however, Trust Topology attributes and Sysvol Replication attributes might not be available. These attributes are available only to domain users.

To view the Trust Topology attributes, a non-administrator user must have the following registry permissions:

Grant full access to the HKEY_LOCAL_MACHINE\SOFTWARE\Candle directory.
Grant read access to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Perflib directory.

To view the Sysvol Replication attributes, a non-administrator user must have full access to the Sysvol folder on all domain controllers in a domain.

Important: When Microsoft Active Directory agent is running as a non-administrator user, some services from the Services attribute group show values for Current State and Start Type attributes as Unknown on the APM User Interface.

The following table contains the attribute groups for the Active Directory agent that display data for domain users and performance monitoring users.

Table 1. Attribute groups for domain users and performance monitoring users
User right	Attribute group
Domain users	RID Pool Information Services Event Logs DNS DNS ADIntegrated Details DNS ADIntegrated DHCP Trust Group Policy Objects Lost and Found Objects Exchange Directory Service Replication Conflict Objects LDAP Attribute Root Directory Server Containers Replication Partner Domain Controller Availability Replication Partner Latency Forest Topology
Domain users and performance monitoring users	All attribute groups that are mentioned for the domain users and the following extra attribute groups: Address Book Replication Directory Services Knowledge Consistency Checker Kerberos Key Distribution Center Lightweight Directory Access Protocol Local Security Authority Name Service Provider Security Accounts Manager File Replication Service Distributed File System Replication DFS Replication Connections DFS Replicated Folders DFS Service Volume Domain Controller Performance Remote Access Server Direct-Access Server Netlogon Attributes

Note: Additionally, the following attribute groups display data for users who are members of the Administrators group:

Active Directory Database Information
Moved or Deleted Organizational Unit
Password Setting Objects

For information, refer Configuring Microsoft Active Directory monitoring

Procedure

Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
Expand the domain in which you want to create the user by clicking the plus sign (+) next to the name of a domain.
Right-click Users, and then click New > User.
Create a new user by using the New Object - User wizard. By default, a new user is a member of the Domain Users group.
Right-click the new user that is created in the Domain Users group, and click Properties. The Username Properties window opens, where username is the name of the new user. Complete the following steps in the Username Properties window:
1. Click Member of tab. In the Member of area, add the Performance Monitor Users group.
2. Click Apply, and then click OK.
Go to the Candle_Home directory. The default path is C:\IBM\APM.
Right-click the APM folder and click Properties. The APM Properties window opens. Complete the following steps in the APM Properties window:
1. On the Security tab, click Edit.
2. Click Add to add the new user and grant full access to this user.
3. Click Apply, and then click OK.
Click Start > Run, and then type services.msc. The Services window opens. Complete the following steps in the Services window:
1. Right-click the Monitoring Agent for Active Directory service, and click Properties.
2. In the Active Directory Properties window, on the Log On tab, click This Account. Enter the user credentials.
3. Click Apply, and then click OK.
Restart the agent service.