Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-18-2020 09:59 PM
I want to create a service account for scanning desktops that is only used for that purpose. I'd prefer not to use an account that is domain administrator. Is there a way to limit the security permissions of the account? I'd like to have just the specific permissions needed.
Labels:
- Labels:
-
General Discussion
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-21-2020 03:31 AM
Sorry I miss spoke. It is not a domain admin account but an admin account on the workstations only.
Doesn't have access to AD or any other services. I mentioned domain as its an admin account via the domain. We also have a local admin password, however that hasn't been set on alot of our machines. This has been changed with Lansweeper but we still have a few remaining.
Doesn't have access to AD or any other services. I mentioned domain as its an admin account via the domain. We also have a local admin password, however that hasn't been set on alot of our machines. This has been changed with Lansweeper but we still have a few remaining.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-19-2020 12:21 AM
abevelacqua wrote:
I want to create a service account for scanning desktops that is only used for that purpose. I'd prefer not to use an account that is domain administrator. Is there a way to limit the security permissions of the account? I'd like to have just the specific permissions needed.
It still pretty much needs domain admin, we created a service account called ls.scanning
So that there was a separation, i'm sure we could lock it down a bit more etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-19-2020 06:33 PM
CyberCitizen wrote:abevelacqua wrote:
I want to create a service account for scanning desktops that is only used for that purpose. I'd prefer not to use an account that is domain administrator. Is there a way to limit the security permissions of the account? I'd like to have just the specific permissions needed.
It still pretty much needs domain admin, we created a service account called ls.scanning
So that there was a separation, i'm sure we could lock it down a bit more etc.
This is TERRIBLE advice!
No it does NOT need to be a domain admin. The service account only needs to have local admin access on the machine.
FYI: Domain admin accounts have the rights to make changes to your active directory, the service account for running LanSweeper should NOT have these rights.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-20-2020 04:47 PM
RobertB wrote:CyberCitizen wrote:abevelacqua wrote:
I want to create a service account for scanning desktops that is only used for that purpose. I'd prefer not to use an account that is domain administrator. Is there a way to limit the security permissions of the account? I'd like to have just the specific permissions needed.
It still pretty much needs domain admin, we created a service account called ls.scanning
So that there was a separation, i'm sure we could lock it down a bit more etc.
This is TERRIBLE advice!
No it does NOT need to be a domain admin. The service account only needs to have local admin access on the machine.
FYI: Domain admin accounts have the rights to make changes to your active directory, the service account for running LanSweeper should NOT have these rights.
I am open to other suggestions.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-20-2020 06:09 PM
abevelacqua wrote:RobertB wrote:CyberCitizen wrote:abevelacqua wrote:
I want to create a service account for scanning desktops that is only used for that purpose. I'd prefer not to use an account that is domain administrator. Is there a way to limit the security permissions of the account? I'd like to have just the specific permissions needed.
It still pretty much needs domain admin, we created a service account called ls.scanning
So that there was a separation, i'm sure we could lock it down a bit more etc.
This is TERRIBLE advice!
No it does NOT need to be a domain admin. The service account only needs to have local admin access on the machine.
FYI: Domain admin accounts have the rights to make changes to your active directory, the service account for running LanSweeper should NOT have these rights.
I am open to other suggestions.
Create a local admin account on each machine, or, what we did in addition to that was to use GPO to add a specific AD group (you can call it Local_Admin or anything you'd like), then once that GPO "takes hold", add your LS service account to that group. LS service will then have local admin access.
