This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Archive
- Re: Specific Rights Needed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-13-2011 11:38 PM
Hello all,
We have installed Lansweeper here at work and we are looking at what specific rights it needs to each machine in the enterprise to be able to run.
Giving the service account "Domain Admin" rights is not an option due to auditing requirements.
I can, however, give it all of the rights needed through AD / GPOs; but I need a list of the rights / settings that need to be applied so the account can go out and do it's thing.
Thanks all!
We have installed Lansweeper here at work and we are looking at what specific rights it needs to each machine in the enterprise to be able to run.
Giving the service account "Domain Admin" rights is not an option due to auditing requirements.
I can, however, give it all of the rights needed through AD / GPOs; but I need a list of the rights / settings that need to be applied so the account can go out and do it's thing.
Thanks all!
Labels:
- Labels:
-
Archive
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-16-2011 07:44 PM
It's really not that simple. Splunk has a good write-up that should help get you started....
http://www.splunk.com/wiki/Deploy:HOWTO_Enable_WMI_Access_for_Non-Admin_Domain_Users
You may need to dig deeper to grant access to the Eventlogs. This will require some regedits, and modifing some SACLs.
http://www.splunk.com/wiki/Deploy:HOWTO_Enable_WMI_Access_for_Non-Admin_Domain_Users
You may need to dig deeper to grant access to the Eventlogs. This will require some regedits, and modifing some SACLs.
Thanks,
Jim Lovejoy
__________________________________________________________________________________________________
James W. Lovejoy | IBM - Cloud Managed Services Delivery | Infrastructure Architect (Windows Server ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-16-2011 06:59 AM
Thanks,
I may have been a bit obtuse in my request, for which I applogize. There are certainly ways to make an account an admin on workstations across the company without impacting other systems, however I am really interested in the exact rights that Lansweeper needs.
For example, Lansweeper might need to RDP a machine. That would require the account to have RDP access. It might require the ability to run a specific program or a service, all things that I can deliver through GPOs.
My goal would be to give Lansweeper the least possible rights to any machine in the company so that it could do it's thing.
If I can accomplish all of that without setting up an account that has admin rights to several thousand workstations I would be very happy.
If the only way possible is to give the account administrative rights... then so be it; but it seems like we should be able to collect information without admin rights and connect into machines (RDP) using a user's rights.
If there were a list of specific actions that Lansweeper can do I might be able to work from that list and devise a way for the account to have the least possible access. Is there a list like that avaliable?
Thanks again for the help!
I may have been a bit obtuse in my request, for which I applogize. There are certainly ways to make an account an admin on workstations across the company without impacting other systems, however I am really interested in the exact rights that Lansweeper needs.
For example, Lansweeper might need to RDP a machine. That would require the account to have RDP access. It might require the ability to run a specific program or a service, all things that I can deliver through GPOs.
My goal would be to give Lansweeper the least possible rights to any machine in the company so that it could do it's thing.
If I can accomplish all of that without setting up an account that has admin rights to several thousand workstations I would be very happy.
If the only way possible is to give the account administrative rights... then so be it; but it seems like we should be able to collect information without admin rights and connect into machines (RDP) using a user's rights.
If there were a list of specific actions that Lansweeper can do I might be able to work from that list and devise a way for the account to have the least possible access. Is there a list like that avaliable?
Thanks again for the help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-14-2011 01:35 PM
The account needs:
Administrative rights on the computers it scans.
Read access to active directory.
Administrative rights on the computers it scans.
Read access to active directory.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Installing Lansweeper silently in General Discussions
- Report for Multiple Files Existing on Desktop in General Discussions
- Addressing NVD Insufficient Data - Impact on Vulnerability Assessments in Lansweeper in Product Discussions
- All Assets with last logon user in Reports & Analytics
- Need a Report for specific existing Autorun command - exists or not exists in Reports & Analytics
