What is the use of domain account and service account while setup discovery?

shabbir5
Tera Guru

Hi All,

 

Why we need Domain account & service account while setup the discovery process?

 

and how many service accounts / domain accounts we need to discover windows servers?

 

how many service accounts / domain accounts we need to discover unix servers?

 

please someone provide your inputs

 

@Ankur Bawiskar

 

Regards,

Shabbir Shaik

1 ACCEPTED SOLUTION

AJ-TechTrek
Giga Sage
Giga Sage

Hi @shabbir5 ,

 

As per my understanding, Below might help you understand better for Service Account and Domain Account.

 


Why do we need domain accounts & service accounts in ServiceNow Discovery?


* When you set up Discovery in ServiceNow, the MID Server needs credentials to log in to the target devices to collect configuration and inventory data.


Service accounts: These are special-purpose accounts created in the OS or directory (Active Directory, LDAP, or local system) used only by the Discovery process, so no personal credentials are involved.


 Domain accounts: Specifically for Windows environments using Active Directory. They allow you to:
* Discover multiple Windows servers in the same domain without maintaining separate local credentials for each server.


* Leverage WMI (Windows Management Instrumentation) and Remote Registry access across the domain.
Using these accounts:
* Keeps Discovery automated, secure, and auditable.
* Avoids using personal admin accounts (which is against best practices and security policies).
* Provides the necessary permissions to run discovery probes, fetch system information, and execute commands.

 How many service accounts / domain accounts do we need to discover Windows servers?
* It depends on your environment, but generally:
* If all Windows servers are in a single domain → usually one domain service account with sufficient permissions can discover them all.
* If you have multiple domains without trust relationships → you’ll need one service account per domain.
* For local accounts (only if domain accounts can't be used): you’ll need separate service accounts per group of servers sharing the same local credentials.
* Best practice:
 One domain service account per AD domain with Remote WMI and Remote Registry access, added to the Domain Users group (and sometimes Distributed COM Users or similar as per your security policy).

How many service accounts / domain accounts do we need to discover UNIX servers?
* UNIX/Linux discovery relies on SSH:
* You need at least one service account per type of UNIX/Linux OS if their SSH configuration and sudo permissions are consistent.
* If different servers require different credentials, you may need multiple service accounts.


Best practice:
Create one dedicated service account (non-personal) with passwordless sudo or limited sudo permissions, reusable across multiple UNIX/Linux servers, as long as they share the same authentication method.

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025

View solution in original post

3 REPLIES 3

Dr Atul G- LNG
Tera Patron
Tera Patron

Hi @shabbir5 

 

Adding @AJ-TechTrek  who is expert in ITOM and provide you more practical insight about this.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************

Thank you @Dr Atul G- LNG  for your help

 

@AJ-TechTrek , please help me with your inputs to understand the importance of service account and domain account while discovering ?

 

and also suppose if we have multiple service accounts for one server , then which credentials will be used by discovery??

 

Regards,

Shabbir Shaik

AJ-TechTrek
Giga Sage
Giga Sage

Hi @shabbir5 ,

 

As per my understanding, Below might help you understand better for Service Account and Domain Account.

 


Why do we need domain accounts & service accounts in ServiceNow Discovery?


* When you set up Discovery in ServiceNow, the MID Server needs credentials to log in to the target devices to collect configuration and inventory data.


Service accounts: These are special-purpose accounts created in the OS or directory (Active Directory, LDAP, or local system) used only by the Discovery process, so no personal credentials are involved.


 Domain accounts: Specifically for Windows environments using Active Directory. They allow you to:
* Discover multiple Windows servers in the same domain without maintaining separate local credentials for each server.


* Leverage WMI (Windows Management Instrumentation) and Remote Registry access across the domain.
Using these accounts:
* Keeps Discovery automated, secure, and auditable.
* Avoids using personal admin accounts (which is against best practices and security policies).
* Provides the necessary permissions to run discovery probes, fetch system information, and execute commands.

 How many service accounts / domain accounts do we need to discover Windows servers?
* It depends on your environment, but generally:
* If all Windows servers are in a single domain → usually one domain service account with sufficient permissions can discover them all.
* If you have multiple domains without trust relationships → you’ll need one service account per domain.
* For local accounts (only if domain accounts can't be used): you’ll need separate service accounts per group of servers sharing the same local credentials.
* Best practice:
 One domain service account per AD domain with Remote WMI and Remote Registry access, added to the Domain Users group (and sometimes Distributed COM Users or similar as per your security policy).

How many service accounts / domain accounts do we need to discover UNIX servers?
* UNIX/Linux discovery relies on SSH:
* You need at least one service account per type of UNIX/Linux OS if their SSH configuration and sudo permissions are consistent.
* If different servers require different credentials, you may need multiple service accounts.


Best practice:
Create one dedicated service account (non-personal) with passwordless sudo or limited sudo permissions, reusable across multiple UNIX/Linux servers, as long as they share the same authentication method.

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025