ControlUp Monitor Permissions & Security - On-Premises ONLY.
  • Dark
  • PDF

ControlUp Monitor Permissions & Security - On-Premises ONLY.

  • Dark
  • PDF


Among the ControlUp components, one of the most important ones is the Monitor. The Monitor is a component that you install from within the CU Real-Time Console and is the entity that is in charge of monitoring all the endpoints, hypervisors and more 24\7.

The monitor is also the one to monitor the endpoint for alerts based on the triggers that you have set up and also upload the data into Insights, our online reporting system.

The best practice is to have the monitor installed on its own dedicated server and provisioned with the necessary resource as explained in the ControlUp Sizing Guidelines article.

This article will explain how the monitor works, what it does and what permissions we need to give it in order to properly work.

If you're using the cloud solution, refer to the cloud article in this link.

The Monitor in On-Premises Environments

In On-Premises deployments, there's a different process than the online mode since Insights is also on-prem (if you purchased it). The monitor writes 'Activity Files' into an SMB share and Insights will read the files from there.
After you deploy the monitor, it will be recognized on that machine by its process named "cuMonitor.exe".
There are two entities that the Monitor is using on its end:

  1. The "cuMonitor.exe" is running as the "NETWORK SERVICE" account on the Monitor VM only.
  2. The Monitor is also using an AD account that you configure it to use when you set up the monitor, and it uses it for several purposes:
    1. Deploy the ControlUp Agents on remote machines (if the user had administrative rights on the remote machines).
    2. Connect to the machines using port 40705 in order to monitor them. (for Insights, alerting, etc).
    3. For on-premises only - Impersonating as the AD account in order to write the activity files to the designated folder. (Activity Files Folder).

On top of that, there are permissions that you need to configure to the Activity Files share which hold the files that the monitor is passing to Insights.
Settings for the Activity files folder (Shared & NTFS) -

  1. NTFS permissions

    • IOP computer account needs to have:

    • Monitor AD account needs to have:

  2. Shared permissions

    • IOP computer account needs to have:

    • Monitor AD account needs to have:

Permissions in the Security Policy (within ControlUp)

In the ControlUp Real-Time Console, you'll have to delegate the proper security permissions for the AD account that the monitor is using. This will need to be within the Console in the Security Policy pane.

  1. In the 'Perform organization-wise actions' section-
    • View All Hypervisors.
    • Connect to Data Source.
    • Use Shared Credentials (in the sub-section 'Shared Credentials Store').
  2. In the 'Run Computer Actions' section-
    • Connect to Windows Computer.

If you have Linux machines in your environment, please include the 'Connect to Linux Computer' permissions as well.

It's best practice to configure the credentials that you use in the environment as Shared - you can read more about it in the following article -> Configuring Shared Credentials.

Local Policy requirements

The Monitor AD account defined in the monitor requires the "Allow Log on Locally" user right on the Monitor machine (the service account defined in the monitor settings-> identity tab).

Therefore, please verify two things in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

  1. The AD account has the "Allow log on locally" user right.
  2. The AD account is not part of the "Deny log on locally" user right.

Administrative privileges

The monitor has the ability to install the ControlUp agent on machines. For example, machines that are booted up agent-less.
In the Monitor settings, we state the following-


It's best practice to have the AD configured with admin privileges on the endpoint but not mandatory. If you have the ControlUp Agent baked in the golden image or installed on a machine that isn't going to boot without the agent, the AD account used in the monitor can be a non-admin user.

If you have further questions about the ControlUp Monitor, feel free to ask us at

Was this article helpful?