I am trying to run the a report 'Size of Active Directory Database'. However, the report comes back empty showing no size (MB).
I figured out that it requires NTFS discovery to run and find C:\windows\NTDS folder in order to capture the size. My question is
What permission do I need to give the service account to read the size of the NTDS database ? Keeping in mind we do not want to give Domain Admin access to this service account
I see there is an error in that documentation online. I will report it, thank you! I will still reiterate that the report "Size of Active Directory Database" is indeed an Active Directory report and does not require the NTFS discovery to be executed. The report will require read rights to the Domain Controller's Registry (SYSTEM\CurrentControlSet\Services\NTDS\Parameters), and will also need read access to the Domain Controller's Administrative share and the NTDS subfolder - which is only granted to members of the "Administrators" group of the domain.
As an alternative, running the NTFS discovery against the same folder location (either through the windows administrative share "\admin$\ntds" or through the c$ administrative share) on the Domain Controllers, you can collect the file sizes. However, you still have to have read file/folder permissions on the Domain Controller's file system.
I see there is an error in that documentation online. I will report it, thank you! I will still reiterate that the report "Size of Active Directory Database" is indeed an Active Directory report and does not require the NTFS discovery to be executed. The report will require read rights to the Domain Controller's Registry (SYSTEM\CurrentControlSet\Services\NTDS\Parameters), and will also need read access to the Domain Controller's Administrative share and the NTDS subfolder - which is only granted to members of the "Administrators" group of the domain.
As an alternative, running the NTFS discovery against the same folder location (either through the windows administrative share "\admin$\ntds" or through the c$ administrative share) on the Domain Controllers, you can collect the file sizes. However, you still have to have read file/folder permissions on the Domain Controller's file system.