The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Agent Client Collector vs Local Admin Rights for CMDB Discovery and Service Mapping

Go to solution
NicoleHollihan
Tera Contributor

‎07-30-2025 10:48 AM

Currently we are set up with JEA credentialing our windows devices in CMDB for Discovery. However, we are running into issues with what information we are able to get and Service Mapping. My org is against allowing local admin rights so I am looking for an alternative that will still provide the most value and work well with Service Mapping? Any suggestions? Is Agent Client Collector a solution for this?

 

Thank you

Nikki

0 Helpfuls
  • 583 Views
1 ACCEPTED SOLUTION

Go to solution
pavani_paluri
Giga Guru

‎07-30-2025 11:44 AM

Hi @NicoleHollihan ,

JEA may not be enough because it restricts commands to a specific role definition.Service Mapping and Discovery rely on WMI, registry, services, ports, installed software, etc.
Many of these actions need elevated permissions, which JEA may block

 

Yes — ACC is an excellent option, and specifically designed for these kinds of challenges. The agent runs locally with the required privileges, so you don’t need to expose admin accounts

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

 

View solution in original post

4 REPLIES 4

Go to solution
pavani_paluri
Giga Guru

‎07-30-2025 11:44 AM

Hi @NicoleHollihan ,

JEA may not be enough because it restricts commands to a specific role definition.Service Mapping and Discovery rely on WMI, registry, services, ports, installed software, etc.
Many of these actions need elevated permissions, which JEA may block

 

Yes — ACC is an excellent option, and specifically designed for these kinds of challenges. The agent runs locally with the required privileges, so you don’t need to expose admin accounts

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

 

Go to solution
pavani_paluri
Giga Guru
In response to pavani_paluri

‎08-25-2025 01:52 AM

Hi @NicoleHollihan ,

 

Could you Please accept the solution if that answers your question.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P
0 Helpfuls

Go to solution
Pratiksha
Mega Sage
Mega Sage

‎07-30-2025 11:13 PM

Hi @NicoleHollihan ,

 

JEA should be enough for service mapping. We have used it before. ACC can be used as well. Their are few things which needs to maintain when you are using ACC, one of them is the agents dont auto upgrade, Certificate managment wont work if you are using only ACC (port based)

 

If you already have JEA setup it should be enough for service mapping 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Regards,
Pratiksha

Go to solution
AJ-TechTrek
Giga Sage
Giga Sage

‎07-30-2025 11:30 PM

Hi @NicoleHollihan ,

 

Great question — and you’re not alone! Many organizations (especially security-minded ones) don’t want to use local admin rights for Windows Discovery & Service Mapping.


 

As per my understanding why this happens:


* ServiceNow Discovery & Service Mapping for Windows traditionally rely on:


* WMI
* Remote registry
* Windows services, process lists, netstat, etc.


Most of these require local admin or at least very elevated privileges.
Using JEA (Just Enough Administration) is a good step


* But it often limits what can be queried, leading to:
* Partial discovery
* Missing running services/processes
* Service Mapping not seeing listening ports, bindings, process relationships

 

What are your options:


1. Expand JEA to include what Discovery needs
You can carefully:
* Extend your JEA endpoint to allow:
* WMI queries (Win32_Service, Win32_Process)
* netstat / Get-NetTCPConnection
* reading registry keys used by Discovery patterns
* Still avoid full local admin.

Needs security review, but keeps it agentless.

 

2. Use ServiceNow Agent Client Collector (ACC)
Yes — ACC is designed exactly for this type of situation:
* Deploys lightweight ServiceNow agent to Windows servers.
* Runs under local system / elevated context → can gather:
* Listening ports
* Processes
* Service relationships
* Software inventory
* Doesn’t require storing admin credentials in Discovery
* Works with:
* Discovery
* Service Mapping
* Cloud Observability
* Application Visibility


For Service Mapping, ACC can detect running processes, ports, and inbound/outbound connections → gives very high fidelity maps.

 

3. Hybrid
* Use agentless discovery for servers where possible (with JEA).
* Deploy ACC selectively on servers hosting business-critical apps that need accurate service maps.

 

4. How ACC works with Service Mapping:
* ACC publishes data to MID → MID runs patterns as usual.
* You get:
* Near-real-time process and connection data.
* More complete service maps.
* Doesn’t require local admin creds to be stored on MID or Discovery schedules.

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025