Permissions Required By The Remote Desktop Reporter Service and Agent Services
What permissions are needed both by 1.) the main Remote Desktop Reporter Service and 2.) the Local Agent Service that can be deployed on each Remote Desktop Session Host?
The main Remote Desktop Reporter Service should use a service account you create in your Windows domain that holds local Admin rights on each RDS/Citrix session host server monitored, including role-based servers like the Remote Desktop Gateway and Connection Broker.
The Remote Desktop Reporter Agent Service needs to run as LocalSystem, which is how it is installed by default.
The In-Session Agent processes that are launched via logon script (if user screenshot recording is desired) run under the credentials of each user and do not need any sort of elevated privileges – they send their data to the Remote Desktop Reporter Agent Service, which the main Remote Desktop Reporter Service then polls periodically to capture and store that information.