Discover Domain Controllers without Domain Admin rights.

Go to solution
jcanjura
Mega Expert

‎04-17-2020 09:24 AM

How can I discover Domain Controllers without having Domain Admin rights?
We have a GPO that adds a Security Group to the Local Admins group on each Windows server, but for DCs that's similar to having Domain Admins rights (which is a big NO in our environment).
I found this same question at:

https://community.servicenow.com/community?id=community_question&sys_id=3251c329db98dbc01dcaf3231f9619ba

But at the end of the document it mentions "New technology is coming to replace and (vastly) improve the functionality.."
I have a couple of questions:

  • What's the 'new way' to discover DCs, including relationships?
  • If we need to use the "Help the Help Desk" script as a logon script, will that apply to every Windows Server in the environment?
    • In other words, will the script replace the GPO we have already in place?
    • Will the script still NOT create relationships between the server and the running apps?
    • How will that impact Top-Down discovery (Service mapping)?

Thanks

 

Labels:
0 Helpfuls
  • 5,809 Views
1 ACCEPTED SOLUTION

Go to solution
DaveHertel
Kilo Sage
Kilo Sage

‎06-16-2020 03:12 PM

Hi - to address a couple of your questions

  • ...use the "Help the Help Desk" script as a logon script, ....
    >>> I believe this HTH is being phased out.  Read more here

  • How will that impact Top-Down disco (Service mapping)
    >>> for these CI's to be auto populated via SM, they have to be in the CMDB.  They can get into the CMDB via automation, aka, Discovery or added as CI's manually.   Its a bit of a catch-22 for SM because if you want full automation (i.e. no manual entry) then Discovery needs to scan/inventory it... which is blocked by the original point you brought up.

Its fairly common that Domain Controllers are excluded from discovery because of the reasons already noted.

Hope this helps?

View solution in original post

17 REPLIES 17

Go to solution
Patrick DeCarl1
ServiceNow Employee
ServiceNow Employee

‎04-17-2020 09:34 AM

You don't. It's a windows requirement to have domain admin rights not SN. I recommend to my clients to just add these devices manual or if there is a source to import from. 

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron

‎04-17-2020 10:49 AM

Hi,

In future i.e. orlando we will be trying to use JEA.

https://docs.servicenow.com/bundle/orlando-it-operations-management/page/product/discovery/concept/m...


Lets see if this helps or not.


For now you can use HTHD or manual creation of DCs.


Thanks,
Ashutosh

0 Helpfuls

Go to solution
doug_schulze
ServiceNow Employee
ServiceNow Employee
In response to Ashutosh Munot1

‎04-17-2020 11:28 AM

JEA won't help here unfortunately, it's not about the commands we need to run it is the remote query that has to take place at the fundamental account level. However when agents become available for discovery that should take the place of the WMI Script option..or do (+1) what Patrick suggested..

Go to solution
Ron Lucas
Giga Contributor
In response to doug_schulze

‎06-16-2020 02:59 PM

Hi Doug.

Are you suggesting that ServiceNow is developing an agent which optionally can be installed on Windows servers to discover them?  

Thanks,

Ron

0 Helpfuls