Scan for AD Info When Using a Local Account (LAPS)

Purpose:

You wish to return Active Directory data that is obtained by default when using a domain account, with a local account such as LAPS.

Resolution:

Change the Scan As type to Local System for Scan Profiles that contain the Active Directory scanner and/or the Computer Details scanner.

Note: The default setting is Scan User

In versions 19.0.40.0 and below, this setting may be found in the following location: Options > Preferences > Scanning > Scan As

1.png

Versions beyond that, this setting may be found here: Scan Profiles > Edit Scan Profile > Details Tab > Scan As

2.png

This setting executes scans using the Local System account on the target, and applies to all scanners in the Scan Profile. PDQ Inventory connects to the target using the Scan User credentials, creates the PDQInventoryRunner service, and then instructs the service to log on as Local System. Since that account has the necessary permissions to make the query, where a local account does not, the data is returned successfully.

The following example shows the missing data in the Computer Summary when scanned with the default Standard Scan Profile using a local account as the Scan User. The display name is brought in with the Computer Details scanner, while the Active Directory data is brought in with the Active Directory scanner.

3.png

In the next example, the same profile is ran with the same Scan User, except the Scan As setting has been changed to Local System, which is then able to pull the AD info and display name of the current user.

4.png

Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.