This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Scanning with domain admin or another account that is local admin to pc's?

kjstech
Engaged Sweeper III

‎02-29-2020 02:17 PM

Hi, were new to Lansweeper, just got our feet off the ground this week and we love it so far. WAY faster than Spiceworks! We licenced 1500 assets and I configured it to use SQL Server 2016 and IIS 10.

One of the concerns we had with scanning is what kind of account to use in order to obtain all the good detail for our domain joined machines. The easy route, what we are doing now, is using a domain administrator account, and since our machines are on the domain, they have access to all of the bits and pieces like administrative shares, WMI, DCOM, etc... So this is working. The security concern is that this domain admin account is being sprayed out to every machine to scan.

Another theory we had was use a regular domain account that had read only access to AD, so that part was still readable, but used a GPO to make this account local admin on all of our workstations. My concern with that is if the account is ever compromized on one machine, the bad actor can then use this account to jump around from machine to machine. Its the whole reason we use Microsoft LAPS to randomize and uniquely configure each PC's local administrator password.

Third option would be the LsAgent. Now we are deploying this to laptop and tablet class machines, since they can roam. But we have so many other agents for other things, the concern is adding more "stuff" to end users machines, so we lean towards agentless scanning.

What's your opinion for best practices? Right now I'm leaning towards a special unique domain administrator account with a very long passphrase, like 35 or more characters, and a strict policy to change that in a timely manner. It would be very hard for a bad actor to brute force a password of that length.

Curious to hear what you all do!
Labels:
0 Kudos
3 REPLIES 3
CyberCitizen
Honored Sweeper

‎03-02-2020 03:01 AM

We use a domain admin account, as in its an account that has admin rights on the machines but not the rest of the network / servers etc. So not a true domain admin account.

We exclude our servers from scanning as they are already monitored via other software etc.

We are using Lansweeper purely for Workstation / Laptop auditing and software deployments.
0 Kudos
kjstech
Engaged Sweeper III
In response to CyberCitizen

‎03-02-2020 04:45 PM

CyberCitizen wrote:
We use a domain admin account, as in its an account that has admin rights on the machines but not the rest of the network / servers etc. So not a true domain admin account.

We exclude our servers from scanning as they are already monitored via other software etc.

We are using Lansweeper purely for Workstation / Laptop auditing and software deployments.


Oh ok are you using something like this article to create a new type of "Workstation Administrator" group and group policy to add this to the local admin of PC's?

https://www.petri.com/manage-workstations-without-domain-admin-rights

0 Kudos
CyberCitizen
Honored Sweeper
In response to kjstech

‎03-03-2020 12:36 AM

kjstech wrote:
Oh ok are you using something like this article to create a new type of "Workstation Administrator" group and group policy to add this to the local admin of PC's?

https://www.petri.com/manage-workstations-without-domain-admin-rights

Pretty Much Spot On
0 Kudos

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now