cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
GeorgB
Engaged Sweeper
Hello 🙂
I´m glad to be here and I directly have my first question.

In the past in the company, I´m working for, the user for the scanning was a domain admin.
When I arrived, I started to "clean up" and I switched this.

Therefore I followed the Windows domain scanning requirements:
https://www.lansweeper.com/knowledgebase/domain-scanning-requirements/

Globally speaking - it worked fine - the clients get scanned and the AD is scanned.
The only "problem" we have is that the Domain Controllers are not scanned anymore ...
... of course, because the scanning user is "only" local admin on clients and servers, but not on the Domain Controllers ... because this is not possible 😛

Nevertheless I think that there must be a possibility to scan also the Domain Controllers.
I would prefer not to install something (the agent) on the Domain Controller - if possible !!
I hope someone has a hint for me !

thanks - BR Georg
1 REPLY 1
grimstar
Champion Sweeper II
I'll start by saying I have not verified myself that the steps at the link below work with Lansweeper, however I have leveraged it myself to allow SIEM and NAC tools to perform WMI queries against domain controllers without making them domain admins. You'll have to touch each domain controller.

https://kc.mcafee.com/corporate/index?page=content&id=KB74126

There are multiple variations on the internet of how to grant WMI access on a DC without admin rights, however this is the one that I can guarantee works. On-prem, AWS hosted, and Azure hosted domain controllers... all worked.

Alternatively you could take a look at the lsagent. I don't use it, but I have to imagine it would run as the system account and also solve your issue if you have no issues with having it installed.


GeorgB wrote:
Hello 🙂
I´m glad to be here and I directly have my first question.

In the past in the company, I´m working for, the user for the scanning was a domain admin.
When I arrived, I started to "clean up" and I switched this.

Therefore I followed the Windows domain scanning requirements:
https://www.lansweeper.com/knowledgebase/domain-scanning-requirements/

Globally speaking - it worked fine - the clients get scanned and the AD is scanned.
The only "problem" we have is that the Domain Controllers are not scanned anymore ...
... of course, because the scanning user is "only" local admin on clients and servers, but not on the Domain Controllers ... because this is not possible 😛

Nevertheless I think that there must be a possibility to scan also the Domain Controllers.
I would prefer not to install something (the agent) on the Domain Controller - if possible !!
I hope someone has a hint for me !

thanks - BR Georg