This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
This documentation is for the new preview UI. It’s still being refined and is subject to change. For documentation for the old UI, see Knowledge Base.
Article link copied to clipboard
Updated
Published
Friday
- edited
Sunday
by
sophie
Friday
Lansweeper Sites uses credentials to authenticate against devices and services during the discovery process. Proper credential setup is essential for obtaining a complete view of assets’ data.
Why credentials matter
During discovery, Lansweeper can attempt to identify devices without credentials using network fingerprints, open ports, or basic SNMP responses. While this can provide surface‑level visibility (for example, “this IP is likely a Windows device” or “this is a printer”), the results are limited.
Using valid credentials unlocks full discovery capabilities:
Completeness: Credentials allow Lansweeper to query system APIs (WMI/DCOM for Windows, SSH for Linux/Unix, SNMP for network devices, directory and cloud APIs for SaaS/virtualization). This gives you accurate asset inventories including OS, hardware specs, software, and user details.
Accuracy: Credentials reduce reliance on “fingerprinting” or guesses about an asset’s role. With credentials, Lansweeper confirms actual configurations instead of inferring them.
Depth of insight: With credentials, you get risk insights like patch levels, installed software versions, or misconfigurations—all of which are critical for vulnerability assessment and compliance.
Consistency across environments: Devices that respond poorly (or not at all) to unauthenticated probes can still be fully inventoried with proper credentials.
By contrast, credential‑less discovery should only be considered a fallback or stopgap to get some visibility. For most organizations, reliable inventory, security reporting, and compliance all depend on properly scoped discovery credentials.
Prerequisites
An installed discovery hub and sensor for either Windows, Linux, or macOS
Credential details with appropriate permissions are ready
Credential best practices
Use least privilege. Grant only the minimum access required to read discovery data. This limits risk if a credential is compromised, while still allowing Lansweeper to return useful insights. Balance your security policy with the completeness of discovery results.
Plan credential strategies thoughtfully. You can scope credentials in several ways:
By asset type: Assign different credentials for Windows, Linux, printers, switches, firewalls, etc. This separation improves auditability and makes it easier for security teams to monitor access by category.
By location: Use credentials per site or region to limit scope and track where credentials are used. Example: Windows‑Washington vs. Windows‑Germany.
By protocol: Use unique credentials for each protocol (WMI/DCOM, SSH, SNMP) when appropriate. Avoid reusing the same credential across unrelated asset types (for example, using one credential for both a printer and a firewall), as this poses a security risk.
Combine strategies. In most environments, a combination of asset type, location, and protocol-based credentials keeps scope tight without creating excessive operational overhead.
Avoid one-credential-per-asset. This does not scale in medium or large environments. Instead, use credentials that cover multiple devices securely while keeping scope limited.
For Windows endpoints, consider LAPS. Microsoft Local Administrator Password Solution (legacy or modern) ensures that every workstation has a unique local admin credential without requiring manual management.
Discovery credential types
Refer to the table below to learn more about the credential types, their uses, and the data that can be collected.
Credential Type | Platform | Sample Data Collected |
|---|---|---|
Windows (WMI/DCOM) | Windows servers & workstations | OS version, hardware (CPU, memory, disk), installed software, services, patches, logged-on users, Event Viewer logs |
SCCM (System Center Configuration Manager) | Microsoft SCCM integration | Asset inventory (from SCCM database), software deployments, compliance info, patch status |
SSH | Linux/Unix servers, macOS, some SSH-enabled network devices | Kernel/OS version, hardware specs, installed packages, running processes, logged-in users, storage and network configs |
SNMP (v1/v2/v3) | Network devices (switches, routers, firewalls, printers, APs, UPS) | Device model, vendor, firmware version, IP/MAC, port/interface status, toner levels (printers), network throughput/faults |
Active Directory Domain Controller | Active Directory domains & forests | Domain OUs, user accounts, groups, computer accounts, policies, trust relationships |
vCenter | VMware vCenter environments (clusters of ESXi hosts) | Host inventory, cluster topology, guest VMs, VM–host mapping, datastores, configuration states |
ESXi | Standalone VMware hypervisors (not managed by vCenter) | Host hardware info, installed VMs, resource usage, configuration settings |
Citrix | Citrix virtualization environment (Citrix Virtual Apps/Desktops) | Citrix servers, published applications, sessions, environment configuration details |
Create a discovery credential
In your site, go to Discovery > Credentials > Add credential.
Enter a name for your credential.
Select your desired credential type. Refer to the Discovery credential types for more information.
Enter the required credential parameters.
Select Assigned hubs, then select which discovery hubs can use the credential. Sensors linked to those hubs will apply the credential during discovery.
Select Save changes.
Next steps
Now that you’ve created a discovery credential, create a discovery action to define what to scan when, and with which credentials.
