Home → LOGbinder for SP KB → Getting Started Guide → Appendix A: Assigning Permissions
2.4. Appendix A: Assigning Permissions
SharePoint Farm Administrator
- Open SharePoint Central Administration, and select the “Security” tab
- Select “Manage the farm administrators group” under “Users”
- Add user or ensure that user is a member of a group in the list of administrators
Site Collection Administrator
- For SharePoint 2013 and 2016, see http://technet.microsoft.com/en-us/library/ff631156.aspx
WSS_ADMIN_WPG group
On SharePoint 2013, the service account has to be member of the WSS_ADMIN_WPG Windows security group.
- Open the Computer Management administrative tool.
- Under System Tools, expand Local Users and Groups, and select Groups.
- In the properties of WSS_ADMIN_WPG, add the service account.
Local Security Policy Changes
The following chart summarizes the changes to be made in the Local Security Policy. More detailed explanations are found after the chart.
|
Local Security Policy (secpol.msc) settings summary |
Windows Server 2008/2012 |
||||
|
Security Settings |
Local Policies |
User Rights Assignment |
Log on as a service |
add service account |
This always needs to be set |
|
Generate security audits |
add service account |
These need to be set if outputting to Windows Security log |
|||
|
Security Options |
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings |
set Enabled |
|||
|
Advanced Audit Policy Configuration |
Object Access |
Audit Application Generated |
set Success |
||
Log On as a Service
- Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
- Select Security Settings\Local Policies\User Rights Assignment
- Open "Log on as a service" and add user
- NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.
Generate Security Audits (SeAuditPrivilege)
- Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
- Select Security Settings\Local Policies\User Rights Assignment
- Open "Generate security audits" and add user
NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.
Audit Policy
Windows Server 2008/2012
Audit policy can be configured with the original top level categories as described above for Windows 2003 but most environments have migrated to the new more granular audit sub-categories available in Windows 2008 aka (Advanced Audit Policy).
Using Advanced Audit Policy Configuration allows for more granular control of the number and types of events that are audited on the server. (NOTE: The steps described here are for Windows Server 2008 R2; see TechNet for information on earlier releases.)
- You must ensure that ‘basic’ and ‘advanced’ audit policy settings are not used at the same time.
- Microsoft gives this warning: “Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.” (http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx)
- Select Security Settings\Local Policies\Security Options
- Open and enable “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
- Microsoft gives this warning: “Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.” (http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx)
- To enable LOGbinder for SharePoint events to be sent to the security log:
- Select Security Settings\Advanced Audit Policy Configuration\Object Access
- Edit “Audit Application Generated,” ensuring that “Success” is enabled. (LOGbinder for SharePoint does not require that the “Failure” option be enabled.)
NOTE: You can also configure this via a group policy object in Active Directory.