→ 🚀What's New? Join Us for the Fall Product Launch! Register Now !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
sak801
Engaged Sweeper

I have a domain account for scanning Active Directory domain computers in Lansweeper for the Global Windows account.  Because this requires local admin privileges, I've put this account in the "protected users" group in Active Directory for additional security.  I've noticed that under Scanning Targets for active scanning it will say invalid credentials.  However, I know the credentials are correct.  If I select a computer asset in Lansweeper and click "rescan asset", it scans the computer with the same Global credentials without issue.  If I remove this account from the Protected Users group, the active scanning under Scanning Targets does not show "invalid credentials".  So why is active scanning different from rescan asset?  Is the only way this works to have the scanning account NOT a part of protected users?  

1 ACCEPTED SOLUTION
rom
Champion Sweeper III

Here's what MS Says:

"Accounts for services and computers should never be members of the Protected Users group. This group provides incomplete protection anyway, because the password or certificate is always available on the host. Authentication will fail with the error "the user name or password is incorrect" for any service or computer that is added to the Protected Users group."

Reference:  https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/prot...

There's lots of technical reasons in there which I don't know enough about to tell you why exactly -  but, I just stopped at the paragraph above 🙂

View solution in original post

1 REPLY 1
rom
Champion Sweeper III

Here's what MS Says:

"Accounts for services and computers should never be members of the Protected Users group. This group provides incomplete protection anyway, because the password or certificate is always available on the host. Authentication will fail with the error "the user name or password is incorrect" for any service or computer that is added to the Protected Users group."

Reference:  https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/prot...

There's lots of technical reasons in there which I don't know enough about to tell you why exactly -  but, I just stopped at the paragraph above 🙂