Notification

Icon
Error

Set Up the scan for Domain Controllers (not AD !!)

Posted: Monday, September 20, 2021 9:46:13 AM(UTC)
GeorgB

GeorgB

Member Original PosterPosts: 1
0
Like
Hello :)
I´m glad to be here and I directly have my first question.

In the past in the company, I´m working for, the user for the scanning was a domain admin.
When I arrived, I started to "clean up" and I switched this.

Therefore I followed the Windows domain scanning requirements:
https://www.lansweeper.c...n-scanning-requirements/

Globally speaking - it worked fine - the clients get scanned and the AD is scanned.
The only "problem" we have is that the Domain Controllers are not scanned anymore ...
... of course, because the scanning user is "only" local admin on clients and servers, but not on the Domain Controllers ... because this is not possible :P

Nevertheless I think that there must be a possibility to scan also the Domain Controllers.
I would prefer not to install something (the agent) on the Domain Controller - if possible !!
I hope someone has a hint for me !

thanks - BR Georg
RKCar
#1RKCar Member Posts: 89  
posted: 9/22/2021 3:03:06 PM(UTC)
I'll start by saying I have not verified myself that the steps at the link below work with Lansweeper, however I have leveraged it myself to allow SIEM and NAC tools to perform WMI queries against domain controllers without making them domain admins. You'll have to touch each domain controller.

https://kc.mcafee.com/corporate/index?page=content&id=KB74126

There are multiple variations on the internet of how to grant WMI access on a DC without admin rights, however this is the one that I can guarantee works. On-prem, AWS hosted, and Azure hosted domain controllers... all worked.

Alternatively you could take a look at the lsagent. I don't use it, but I have to imagine it would run as the system account and also solve your issue if you have no issues with having it installed.


Originally Posted by: GeorgB Go to Quoted Post
Hello :)
I´m glad to be here and I directly have my first question.

In the past in the company, I´m working for, the user for the scanning was a domain admin.
When I arrived, I started to "clean up" and I switched this.

Therefore I followed the Windows domain scanning requirements:
https://www.lansweeper.c...n-scanning-requirements/

Globally speaking - it worked fine - the clients get scanned and the AD is scanned.
The only "problem" we have is that the Domain Controllers are not scanned anymore ...
... of course, because the scanning user is "only" local admin on clients and servers, but not on the Domain Controllers ... because this is not possible :P

Nevertheless I think that there must be a possibility to scan also the Domain Controllers.
I would prefer not to install something (the agent) on the Domain Controller - if possible !!
I hope someone has a hint for me !

thanks - BR Georg


Active Discussions

Lansweeper Upgrade Win 10 build to version 2004
by  CyberCitizen   Go to last post Go to first unread
Last post: Today at 12:11:55 AM(UTC)
Lansweeper Sort Reports by Last Changed
by  LANGuy  
Go to last post Go to first unread
Last post: Yesterday at 7:02:23 PM(UTC)
Lansweeper Windows Encryption Method
by  elKastr0nom   Go to last post Go to first unread
Last post: Yesterday at 6:02:07 PM(UTC)
Lansweeper Built in report - AD Password Expired
by  FezUSA  
Go to last post Go to first unread
Last post: Yesterday at 3:12:17 PM(UTC)
Lansweeper Helpdesk Dashboard Shared Tab
by  mark chamberlain   Go to last post Go to first unread
Last post: Yesterday at 2:32:20 PM(UTC)
Lansweeper Uninstall an software with Password
by  CyberCitizen   Go to last post Go to first unread
Last post: Yesterday at 6:20:28 AM(UTC)
Lansweeper Scanning for Events in Applications and Services Logs
by  Geoff P G  
Go to last post Go to first unread
Last post: 10/20/2021 5:22:11 PM(UTC)