Showing results for 
Show  only  | Search instead for 
Did you mean: 
Engaged Sweeper
Hello all,

We have installed Lansweeper here at work and we are looking at what specific rights it needs to each machine in the enterprise to be able to run.

Giving the service account "Domain Admin" rights is not an option due to auditing requirements.

I can, however, give it all of the rights needed through AD / GPOs; but I need a list of the rights / settings that need to be applied so the account can go out and do it's thing.

Thanks all!
Champion Sweeper
It's really not that simple. Splunk has a good write-up that should help get you started....

You may need to dig deeper to grant access to the Eventlogs. This will require some regedits, and modifing some SACLs.
Thanks, Jim Lovejoy __________________________________________________________________________________________________ James W. Lovejoy | IBM - Cloud Managed Services Delivery | Infrastructure Architect (Windows Server ...
Engaged Sweeper

I may have been a bit obtuse in my request, for which I applogize. There are certainly ways to make an account an admin on workstations across the company without impacting other systems, however I am really interested in the exact rights that Lansweeper needs.

For example, Lansweeper might need to RDP a machine. That would require the account to have RDP access. It might require the ability to run a specific program or a service, all things that I can deliver through GPOs.

My goal would be to give Lansweeper the least possible rights to any machine in the company so that it could do it's thing.

If I can accomplish all of that without setting up an account that has admin rights to several thousand workstations I would be very happy.

If the only way possible is to give the account administrative rights... then so be it; but it seems like we should be able to collect information without admin rights and connect into machines (RDP) using a user's rights.

If there were a list of specific actions that Lansweeper can do I might be able to work from that list and devise a way for the account to have the least possible access. Is there a list like that avaliable?

Thanks again for the help!
Lansweeper Alumni
The account needs:

Administrative rights on the computers it scans.
Read access to active directory.