This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows domain scanning account without admin privileges

Go to solution
zhongjiedong
Engaged Sweeper II

‎06-22-2017 12:27 PM

Hey everyone,

So one of the CEP accreditation requirements is that service accounts should not have full admin privileges across the domain. I was wondering if anyone has successfully made a service account that could obtain WMI information without having admin privileges on the machine being scanned?

Labels:
0 Kudos
1 ACCEPTED SOLUTION
Go to solution
Bruce_B
Lansweeper Alumni

‎06-22-2017 04:09 PM

Our official recommendation for Windows computer scanning credentials are full local admin rights. The credential needs to be able to:
  • Set up a DCOM connection.
  • Perform WMI queries.
  • Access the registry (and for deployments, access the system account to write to the registry)
  • Access the task scheduler (deployments)
  • Read access to all file properties (custom file scanning)
  • ...

It may be theoretically possible to set up a credential that is able to scan without full admin rights, but this credential would be very close to having full admin rights when adding up all the permissions. We unfortunately cannot provide support for this though. Additionally, if you do find a permission combination that works for scanning, it may not work in the future if new scanning options are added. Every scanning feature we add for Windows computer scanning is with full admin rights in mind.

For scanning computers with higher security standards such as for instance Domain Controllers, you could use the LsPush scanning agent instead. You could theoretically do away with your service account altogether if you don't use the deployment module an perform all your Windows scanning using LsPush.

LsPush is a small executable that, when run on a Windows computer, scans the computer locally. The scan results can manually or automatically be forwarded to your Lansweeper server for import. You can find the LsPush executable in the Program Files (x86)\Lansweeper\Client folder on your Lansweeper server and information on its parameters in this knowledge base article: https://www.lansweeper.com/kb/24/how-to-scan-with-LsPush.html

LsPush can easily be deployed in domain environments with a logon script or group policy. A sample .vbs script that runs LsPush can be seen below. You will need to replace what we've highlighted with the folder hosting the LsPush executable and the name of your own Lansweeper server. If you deploy this script as part of a logon script or group policy, LsPush will automatically scan your machines when users log into them and send the results directly to your Lansweeper server for import. General info on setting up a logon based group policy, not specific to LsPush, can be found here: https://www.petri.com/setting-up-logon-script-through-gpo-windows-server-2008

Set WshShell = CreateObject("Wscript.Shell")
WshShell.run "%logonserver%\netlogon\lspush.exe lansweeperservername",0

View solution in original post

0 Kudos
1 REPLY 1
Go to solution
Bruce_B
Lansweeper Alumni

‎06-22-2017 04:09 PM

Our official recommendation for Windows computer scanning credentials are full local admin rights. The credential needs to be able to:
  • Set up a DCOM connection.
  • Perform WMI queries.
  • Access the registry (and for deployments, access the system account to write to the registry)
  • Access the task scheduler (deployments)
  • Read access to all file properties (custom file scanning)
  • ...

It may be theoretically possible to set up a credential that is able to scan without full admin rights, but this credential would be very close to having full admin rights when adding up all the permissions. We unfortunately cannot provide support for this though. Additionally, if you do find a permission combination that works for scanning, it may not work in the future if new scanning options are added. Every scanning feature we add for Windows computer scanning is with full admin rights in mind.

For scanning computers with higher security standards such as for instance Domain Controllers, you could use the LsPush scanning agent instead. You could theoretically do away with your service account altogether if you don't use the deployment module an perform all your Windows scanning using LsPush.

LsPush is a small executable that, when run on a Windows computer, scans the computer locally. The scan results can manually or automatically be forwarded to your Lansweeper server for import. You can find the LsPush executable in the Program Files (x86)\Lansweeper\Client folder on your Lansweeper server and information on its parameters in this knowledge base article: https://www.lansweeper.com/kb/24/how-to-scan-with-LsPush.html

LsPush can easily be deployed in domain environments with a logon script or group policy. A sample .vbs script that runs LsPush can be seen below. You will need to replace what we've highlighted with the folder hosting the LsPush executable and the name of your own Lansweeper server. If you deploy this script as part of a logon script or group policy, LsPush will automatically scan your machines when users log into them and send the results directly to your Lansweeper server for import. General info on setting up a logon based group policy, not specific to LsPush, can be found here: https://www.petri.com/setting-up-logon-script-through-gpo-windows-server-2008

Set WshShell = CreateObject("Wscript.Shell")
WshShell.run "%logonserver%\netlogon\lspush.exe lansweeperservername",0
0 Kudos

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now