Alternatives to Domain Admin Discovery

davidnevado · a month ago

Hi,

We are currently implementing ServiceNow Discovery in our environment and have encountered a major limitation regarding Windows Domain Controllers.

According to the official documentation, in order to discovery a Domain Controller it is required to use credentials with Domain Admin privileges, since Domain Controllers do not have local administrators.

The challenge is that, due to our internal security policies, we cannot grant Domain Admin rights nor add accounts to the local Administration group on the DCs.

Is there any officially supported alternative to perform Discovery on Domain Controllers under these conditions?

Thanks, regards

David

AJ-TechTrek · a month ago

Hi @davidnevado ,

I hope below clarification will help you on this.

Why ServiceNow Requires Domain Admin for DCs
* Domain Controllers don’t have a local SAM database, so there is no Local Administrator account.
* ServiceNow Discovery relies on WMI/WinRM/Registry/Service Control Manager for deep exploration of Windows CIs.
* Without Domain Admin privileges, access to certain WMI namespaces, registry hives, and performance counters is blocked.

Officially Supported Options
1. Domain Admin (Recommended by ServiceNow Docs)
* The official ServiceNow stance is that you need Domain Admin or equivalent rights to fully discover DCs.
* This is due to required WMI calls and registry reads.

2. Service Account with Least Privilege (Hardened Option)
* If granting Domain Admin is not acceptable, the best practice is to:
* Create a dedicated discovery service account.
* Assign it just enough rights via Group Policy on DCs.
* Required rights include:
* Remote WMI access (DCOM permissions).
* Registry read access to HK-LM:\SYSTEM and HK-LM:\SOFTWARE.
* Service Control Manager read access.
* Performance Monitor Users group (for Perfmon counters).
* This is not OOTB supported in ServiceNow docs, but some organizations do it via fine-grained GPO delegation.

3. Agent-Based Discovery (ServiceNow Agent Client Collector – ACC)
* If your security team does not allow remote WMI/WinRM at all, you can use the ServiceNow Agent Client Collector (ACC).
* ACC runs locally on the DC and collects discovery data without requiring elevated remote rights.
* This is the only officially supported alternative to Domain Admin credentials for Domain Controllers.

Risks & Considerations
* If you try to use non-Domain Admin accounts without proper delegation, you’ll likely get partial discovery (machine record created, but missing services/software details).
* Using ACC shifts the burden from credentials to agent deployment, which may or may not fit your ops/security model.
* Do not attempt registry hacks or unsupported methods — SNOW support will not help if issues arise.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025

View solution in original post

AJ-TechTrek · a month ago

Hi @davidnevado ,

I hope below clarification will help you on this.

Why ServiceNow Requires Domain Admin for DCs
* Domain Controllers don’t have a local SAM database, so there is no Local Administrator account.
* ServiceNow Discovery relies on WMI/WinRM/Registry/Service Control Manager for deep exploration of Windows CIs.
* Without Domain Admin privileges, access to certain WMI namespaces, registry hives, and performance counters is blocked.

Officially Supported Options
1. Domain Admin (Recommended by ServiceNow Docs)
* The official ServiceNow stance is that you need Domain Admin or equivalent rights to fully discover DCs.
* This is due to required WMI calls and registry reads.

2. Service Account with Least Privilege (Hardened Option)
* If granting Domain Admin is not acceptable, the best practice is to:
* Create a dedicated discovery service account.
* Assign it just enough rights via Group Policy on DCs.
* Required rights include:
* Remote WMI access (DCOM permissions).
* Registry read access to HK-LM:\SYSTEM and HK-LM:\SOFTWARE.
* Service Control Manager read access.
* Performance Monitor Users group (for Perfmon counters).
* This is not OOTB supported in ServiceNow docs, but some organizations do it via fine-grained GPO delegation.

3. Agent-Based Discovery (ServiceNow Agent Client Collector – ACC)
* If your security team does not allow remote WMI/WinRM at all, you can use the ServiceNow Agent Client Collector (ACC).
* ACC runs locally on the DC and collects discovery data without requiring elevated remote rights.
* This is the only officially supported alternative to Domain Admin credentials for Domain Controllers.

Risks & Considerations
* If you try to use non-Domain Admin accounts without proper delegation, you’ll likely get partial discovery (machine record created, but missing services/software details).
* Using ACC shifts the burden from credentials to agent deployment, which may or may not fit your ops/security model.
* Do not attempt registry hacks or unsupported methods — SNOW support will not help if issues arise.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025

davidnevado · 3 weeks ago

Thanks for your reply AJ, its help me.

Pratiksha · 4 weeks ago

We had similar issues, explore ACC for JEA for this. It will help.