cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TEisenmann
Engaged Sweeper

Situation:

Lansweeper on premise

Challenge:

Scan Domain-Controller

So far:

Set up scan-service user which is member of local admin group on server, computer etc.

No Local Admin Group on DC ==> Scan fails

(Giving scan user Domain Admin privileges works, but not our intention)

Any suggestions / experiences?

 

Thanks in advance.

Tom

1 ACCEPTED SOLUTION
Tim_N
Lansweeper Employee
Lansweeper Employee

Hello @TEisenmann 

Off the top of my head, one idea is to have a read-only domain controller. That way you can give a specific user access to the RoDC -- this also provides a level of security where the account can't get to the PDC and make changes. 

I'd love to hear what other users are doing as well! Security and scanning rights is a popular topic with our customers. It's great to hear what others are doing to still be able to scan their environment yet keep a strong security posture. 

Tim N.
Lansweeper Employee

View solution in original post

1 REPLY 1
Tim_N
Lansweeper Employee
Lansweeper Employee

Hello @TEisenmann 

Off the top of my head, one idea is to have a read-only domain controller. That way you can give a specific user access to the RoDC -- this also provides a level of security where the account can't get to the PDC and make changes. 

I'd love to hear what other users are doing as well! Security and scanning rights is a popular topic with our customers. It's great to hear what others are doing to still be able to scan their environment yet keep a strong security posture. 

Tim N.
Lansweeper Employee