We have changed our scanning credentials from being a Domain Admin to a Local Admin (Group Policy controls local Administrators members).
Domain Controllers do not have local users and groups. The solution for scanning is to have a scheduled task running LSPUSH.
The annoying thing is that the Domain Controllers flip between having scanning errors and not having errors. I tried excluding the IP from the scheduled scan, but this prevented LSPUSH from updating.
Is this expected behavior? Is there a workaround, i.e. a way to prevent scanning but allow LSPUSH? Do I just have to live with scanning errors?
Thanks.