→ 🚀What's New? Explore Lansweeper's Fall 2024 Updates! Fall Launch Blog !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kjstech
Engaged Sweeper III
Hi, were new to Lansweeper, just got our feet off the ground this week and we love it so far. WAY faster than Spiceworks! We licenced 1500 assets and I configured it to use SQL Server 2016 and IIS 10.

One of the concerns we had with scanning is what kind of account to use in order to obtain all the good detail for our domain joined machines. The easy route, what we are doing now, is using a domain administrator account, and since our machines are on the domain, they have access to all of the bits and pieces like administrative shares, WMI, DCOM, etc... So this is working. The security concern is that this domain admin account is being sprayed out to every machine to scan.

Another theory we had was use a regular domain account that had read only access to AD, so that part was still readable, but used a GPO to make this account local admin on all of our workstations. My concern with that is if the account is ever compromized on one machine, the bad actor can then use this account to jump around from machine to machine. Its the whole reason we use Microsoft LAPS to randomize and uniquely configure each PC's local administrator password.

Third option would be the LsAgent. Now we are deploying this to laptop and tablet class machines, since they can roam. But we have so many other agents for other things, the concern is adding more "stuff" to end users machines, so we lean towards agentless scanning.

What's your opinion for best practices? Right now I'm leaning towards a special unique domain administrator account with a very long passphrase, like 35 or more characters, and a strict policy to change that in a timely manner. It would be very hard for a bad actor to brute force a password of that length.

Curious to hear what you all do!
3 REPLIES 3
CyberCitizen
Honored Sweeper
We use a domain admin account, as in its an account that has admin rights on the machines but not the rest of the network / servers etc. So not a true domain admin account.

We exclude our servers from scanning as they are already monitored via other software etc.

We are using Lansweeper purely for Workstation / Laptop auditing and software deployments.
kjstech
Engaged Sweeper III
CyberCitizen wrote:
We use a domain admin account, as in its an account that has admin rights on the machines but not the rest of the network / servers etc. So not a true domain admin account.

We exclude our servers from scanning as they are already monitored via other software etc.

We are using Lansweeper purely for Workstation / Laptop auditing and software deployments.


Oh ok are you using something like this article to create a new type of "Workstation Administrator" group and group policy to add this to the local admin of PC's?

https://www.petri.com/manage-workstations-without-domain-admin-rights

kjstech wrote:
Oh ok are you using something like this article to create a new type of "Workstation Administrator" group and group policy to add this to the local admin of PC's?

https://www.petri.com/manage-workstations-without-domain-admin-rights

Pretty Much Spot On