I'm attempting to use a service account with read-only access to the directory with an application that wants to set up event monitoring to track logon/logoff activity. If I poll the directory, it can see all needed attributes. If I switch it to monitor events, it fails and I can see a permission denied error on setting up event monitoring in the ndstrace log.

I'm guessing there is some ACL or trustee right I can change to allow it to set up event monitoring, but I can't find any documentation on what it is and where. The application vendor is, of course, saying "oh just give global supervisor trustee rights at the root" but I'd much rather not have it using an unbounded admin account just to set up event monitoring.

Any help is much appreciated.