→ Celebrate SysAdmin Day 2024 with Lansweeper Enter our Giveaway here

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
chada
Engaged Sweeper III
My lansweeper service account and the accounts I used for each domain were all domain admins which made active scanning easy. Now I am tasked with removing all service accounts from the domain admin group as it is bad security practice and we are going through Cybertrust audits.

I am changing our lansweeper service accounts to administrators of all servers through the restricted group group policy feature for each domain. My question is with regards to the domain controllers and how I will be able to scan them after removing them from domain admins. Am I going to have to restort to lsclient scans for these or is there another built in security group in AD with enough rights for what lansweeper scans for on a server?
3 REPLIES 3
Csilano
Engaged Sweeper
I'm scanning with a server administrator account. All of my workstations have the global server administrators group included in the local admins group. No DA acct required.
chada
Engaged Sweeper III
Ya, I knew it just needed to read active directory but I was wondering how people are dealing with Administrative rights on a domain controller without using a domain admin account. When a Server is promoted it loses all of its local accounts so you can't add a local admin for obvious security reasons.
Hemoco
Lansweeper Alumni
The account needs read access to active directory (which most users have), administrative rights on the target computers and on the server.
You can also run the service as "localsystem" and use the alternate credentials for scanning.