→ 🚀What's New? Join Us for the Fall Product Launch! Register Now !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
abevelacqua
Engaged Sweeper
I want to create a service account for scanning desktops that is only used for that purpose. I'd prefer not to use an account that is domain administrator. Is there a way to limit the security permissions of the account? I'd like to have just the specific permissions needed.
5 REPLIES 5
CyberCitizen
Honored Sweeper
Sorry I miss spoke. It is not a domain admin account but an admin account on the workstations only.

Doesn't have access to AD or any other services. I mentioned domain as its an admin account via the domain. We also have a local admin password, however that hasn't been set on alot of our machines. This has been changed with Lansweeper but we still have a few remaining.
CyberCitizen
Honored Sweeper
abevelacqua wrote:
I want to create a service account for scanning desktops that is only used for that purpose. I'd prefer not to use an account that is domain administrator. Is there a way to limit the security permissions of the account? I'd like to have just the specific permissions needed.


It still pretty much needs domain admin, we created a service account called ls.scanning
So that there was a separation, i'm sure we could lock it down a bit more etc.
CyberCitizen wrote:
abevelacqua wrote:
I want to create a service account for scanning desktops that is only used for that purpose. I'd prefer not to use an account that is domain administrator. Is there a way to limit the security permissions of the account? I'd like to have just the specific permissions needed.


It still pretty much needs domain admin, we created a service account called ls.scanning
So that there was a separation, i'm sure we could lock it down a bit more etc.


This is TERRIBLE advice!

No it does NOT need to be a domain admin. The service account only needs to have local admin access on the machine.

FYI: Domain admin accounts have the rights to make changes to your active directory, the service account for running LanSweeper should NOT have these rights.
RobertB wrote:
CyberCitizen wrote:
abevelacqua wrote:
I want to create a service account for scanning desktops that is only used for that purpose. I'd prefer not to use an account that is domain administrator. Is there a way to limit the security permissions of the account? I'd like to have just the specific permissions needed.


It still pretty much needs domain admin, we created a service account called ls.scanning
So that there was a separation, i'm sure we could lock it down a bit more etc.


This is TERRIBLE advice!

No it does NOT need to be a domain admin. The service account only needs to have local admin access on the machine.

FYI: Domain admin accounts have the rights to make changes to your active directory, the service account for running LanSweeper should NOT have these rights.


I am open to other suggestions.
pryan67
Champion Sweeper II
abevelacqua wrote:
RobertB wrote:
CyberCitizen wrote:
abevelacqua wrote:
I want to create a service account for scanning desktops that is only used for that purpose. I'd prefer not to use an account that is domain administrator. Is there a way to limit the security permissions of the account? I'd like to have just the specific permissions needed.


It still pretty much needs domain admin, we created a service account called ls.scanning
So that there was a separation, i'm sure we could lock it down a bit more etc.


This is TERRIBLE advice!

No it does NOT need to be a domain admin. The service account only needs to have local admin access on the machine.

FYI: Domain admin accounts have the rights to make changes to your active directory, the service account for running LanSweeper should NOT have these rights.


I am open to other suggestions.



Create a local admin account on each machine, or, what we did in addition to that was to use GPO to add a specific AD group (you can call it Local_Admin or anything you'd like), then once that GPO "takes hold", add your LS service account to that group. LS service will then have local admin access.