How to set up scannig ADC ... without being DomainAdmin?

TEisenmann · 2 weeks ago

Situation:

Lansweeper on premise

Challenge:

Scan Domain-Controller

So far:

Set up scan-service user which is member of local admin group on server, computer etc.

No Local Admin Group on DC ==> Scan fails

(Giving scan user Domain Admin privileges works, but not our intention)

Any suggestions / experiences?

Thanks in advance.

Tom

Tim_N · 2 weeks ago

Hello @TEisenmann

Off the top of my head, one idea is to have a read-only domain controller. That way you can give a specific user access to the RoDC -- this also provides a level of security where the account can't get to the PDC and make changes.

I'd love to hear what other users are doing as well! Security and scanning rights is a popular topic with our customers. It's great to hear what others are doing to still be able to scan their environment yet keep a strong security posture.

Tim N.
Lansweeper Employee

View solution in original post

Tim_N · 2 weeks ago

Hello @TEisenmann

Off the top of my head, one idea is to have a read-only domain controller. That way you can give a specific user access to the RoDC -- this also provides a level of security where the account can't get to the PDC and make changes.

I'd love to hear what other users are doing as well! Security and scanning rights is a popular topic with our customers. It's great to hear what others are doing to still be able to scan their environment yet keep a strong security posture.

Tim N.
Lansweeper Employee

How to set up scannig ADC ... without being DomainAdmin?

New to Lansweeper?

Try Lansweeper For Free