I'm using Netwrix ALE: https://www.netwrix.com/account_lockout_examiner.html
freeware to get some report about the locked account in my AD domain.
But the problem is that due to PCI compliance, I cannot put the service accoutn which is used by the service as the member of the DOMAIN\Administrator
group, and also cannot be member for all Computer and Server Local Administrator group either ?
So can anyone here please share some thought and comments of how it is best to secure this type of service account while maintaining its functions ?
According to this guide: https://www.netwrix.com/download/documents/Netwrix_Account_Lockout_Examiner_Administrator_Guide.pdf
it requires at least local administraor to audit security log & event ?