Credentials for Scanning Domain Controllers
Hi All,
Can you please share your credential setup for scanning domain controllers?
I am assuming you are using an account that belongs to the Administrators group (but not domain admins) is that correct? Trying to setup least privilege here.
Thanks,
2
Comments
I'm interested in this too. What delegated rights does an account need to scan/deploy to DCs? Non-domain admin acct pls.
I'm interested in this too.
I would assume PDQ Inventory's scan user would only need to be a member of the local administrators group on the DC, not domain admins, but I could be mistaken. You might just have to test with trial and error, if it works with a regular admin account then you're good, if not it must need domain admin.
If I understand correctly, a DC does not have a local SAM database, only the Domain database. There is no such thing as a "local administrators group" on a DC. There is a Domain group called Built-in\Administrators in AD, which will grant that user high administrative permissions to Active Directory.
But that is exactly what I am trying to avoid.
What I have done is I have created two users - userLA and userSA. I used group policy to add userLA to the local administrator group on all workstations. I scan all workstations with userLA. UserSA has been added to the Administrator group in AD. I use UserSA to scan my servers. I did add UserSA to the local Administrator group on my member servers. I obviously cannot do that on my DCs, but it still works. I then log into the workstation running PDQ as a regular user. My PDQ services are running using a separate user account that I created just for running the services and gave it the rights to login as a service using group policy. Seems to be working for me. Was the best I could do.