Notification

Icon
Error

Set Up the scan for Domain Controllers (not AD !!)

Posted: Monday, September 20, 2021 9:46:13 AM(UTC)
GeorgB

GeorgB

Member Original PosterPosts: 1
0
Like
Hello :)
I´m glad to be here and I directly have my first question.

In the past in the company, I´m working for, the user for the scanning was a domain admin.
When I arrived, I started to "clean up" and I switched this.

Therefore I followed the Windows domain scanning requirements:
https://www.lansweeper.c...n-scanning-requirements/

Globally speaking - it worked fine - the clients get scanned and the AD is scanned.
The only "problem" we have is that the Domain Controllers are not scanned anymore ...
... of course, because the scanning user is "only" local admin on clients and servers, but not on the Domain Controllers ... because this is not possible :P

Nevertheless I think that there must be a possibility to scan also the Domain Controllers.
I would prefer not to install something (the agent) on the Domain Controller - if possible !!
I hope someone has a hint for me !

thanks - BR Georg
RKCar
#1RKCar Member Posts: 89  
posted: 9/22/2021 3:03:06 PM(UTC)
I'll start by saying I have not verified myself that the steps at the link below work with Lansweeper, however I have leveraged it myself to allow SIEM and NAC tools to perform WMI queries against domain controllers without making them domain admins. You'll have to touch each domain controller.

https://kc.mcafee.com/corporate/index?page=content&id=KB74126

There are multiple variations on the internet of how to grant WMI access on a DC without admin rights, however this is the one that I can guarantee works. On-prem, AWS hosted, and Azure hosted domain controllers... all worked.

Alternatively you could take a look at the lsagent. I don't use it, but I have to imagine it would run as the system account and also solve your issue if you have no issues with having it installed.


Originally Posted by: GeorgB Go to Quoted Post
Hello :)
I´m glad to be here and I directly have my first question.

In the past in the company, I´m working for, the user for the scanning was a domain admin.
When I arrived, I started to "clean up" and I switched this.

Therefore I followed the Windows domain scanning requirements:
https://www.lansweeper.c...n-scanning-requirements/

Globally speaking - it worked fine - the clients get scanned and the AD is scanned.
The only "problem" we have is that the Domain Controllers are not scanned anymore ...
... of course, because the scanning user is "only" local admin on clients and servers, but not on the Domain Controllers ... because this is not possible :P

Nevertheless I think that there must be a possibility to scan also the Domain Controllers.
I would prefer not to install something (the agent) on the Domain Controller - if possible !!
I hope someone has a hint for me !

thanks - BR Georg


Active Discussions

Action Remote Uninstaller
by  steveb   Go to last post Go to first unread
Last post: 10/6/2021 5:35:34 PM(UTC)
Action Powershell Remote Shutdown with Different Creds
by  Wealthyreltub  
Go to last post Go to first unread
Last post: 9/14/2021 9:43:09 PM(UTC)
Action Find lost space the easy way (spacesniffer.exe)
by  tomscott2340   Go to last post Go to first unread
Last post: 9/1/2021 8:22:48 PM(UTC)
Lansweeper uVNC Portable (trying to replace LSRemote)
by  CyberCitizen  
Go to last post Go to first unread
Last post: 6/15/2021 11:40:21 PM(UTC)
Action Password Status
by  steveb   Go to last post Go to first unread
Last post: 5/20/2021 5:24:13 PM(UTC)
Lansweeper Verify a successful copy to user computer
by  Brandon  
Go to last post Go to first unread
Last post: 4/22/2021 9:09:50 PM(UTC)
Lansweeper Pablo
by  Pablo   Go to last post Go to first unread
Last post: 4/20/2021 8:05:07 PM(UTC)
Lansweeper Can Actions work when using when using a Ubuntu machine
by  mzipperer  
Go to last post Go to first unread
Last post: 4/1/2021 10:16:34 PM(UTC)