Discover Domain Controllers without Domain Admin rights.

Go to solution
jcanjura
Mega Expert

‎04-17-2020 09:24 AM

How can I discover Domain Controllers without having Domain Admin rights?
We have a GPO that adds a Security Group to the Local Admins group on each Windows server, but for DCs that's similar to having Domain Admins rights (which is a big NO in our environment).
I found this same question at:

https://community.servicenow.com/community?id=community_question&sys_id=3251c329db98dbc01dcaf3231f9619ba

But at the end of the document it mentions "New technology is coming to replace and (vastly) improve the functionality.."
I have a couple of questions:

  • What's the 'new way' to discover DCs, including relationships?
  • If we need to use the "Help the Help Desk" script as a logon script, will that apply to every Windows Server in the environment?
    • In other words, will the script replace the GPO we have already in place?
    • Will the script still NOT create relationships between the server and the running apps?
    • How will that impact Top-Down discovery (Service mapping)?

Thanks

 

Labels:
0 Helpfuls
  • 5,827 Views
1 ACCEPTED SOLUTION

Go to solution
DaveHertel
Kilo Sage
Kilo Sage

‎06-16-2020 03:12 PM

Hi - to address a couple of your questions

  • ...use the "Help the Help Desk" script as a logon script, ....
    >>> I believe this HTH is being phased out.  Read more here

  • How will that impact Top-Down disco (Service mapping)
    >>> for these CI's to be auto populated via SM, they have to be in the CMDB.  They can get into the CMDB via automation, aka, Discovery or added as CI's manually.   Its a bit of a catch-22 for SM because if you want full automation (i.e. no manual entry) then Discovery needs to scan/inventory it... which is blocked by the original point you brought up.

Its fairly common that Domain Controllers are excluded from discovery because of the reasons already noted.

Hope this helps?

View solution in original post

17 REPLIES 17

Go to solution
DaveHertel
Kilo Sage
Kilo Sage

‎06-16-2020 03:12 PM

Hi - to address a couple of your questions

  • ...use the "Help the Help Desk" script as a logon script, ....
    >>> I believe this HTH is being phased out.  Read more here

  • How will that impact Top-Down disco (Service mapping)
    >>> for these CI's to be auto populated via SM, they have to be in the CMDB.  They can get into the CMDB via automation, aka, Discovery or added as CI's manually.   Its a bit of a catch-22 for SM because if you want full automation (i.e. no manual entry) then Discovery needs to scan/inventory it... which is blocked by the original point you brought up.

Its fairly common that Domain Controllers are excluded from discovery because of the reasons already noted.

Hope this helps?

Go to solution
Community Alums
Not applicable
In response to DaveHertel

‎07-07-2023 08:07 AM

Hi,

 

It is mentioned in ServiceNow official documentation that a domain administrator is required to discover domain controllers:
Credentials required for host discovery
https://docs.servicenow.com/bundle/utah-it-operations-management/page/product/service-mapping/refere...

 

Or else you go with the other option that is "Delegate WMI Access to Domain Controllers"
The below article on Microsoft tech community provides a procedure to delegate WMI access without domain admin:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/delegate-wmi-access-to-domai...

But As per ServiceNow Suggestion we have to create the users with the required permissions and test.

Discovery runs remote WMI queries from the MID server while discovering Windows-based machines. For domain controllers, the user running the remote WMI queries should either be included in the domain administrators group or the 'local administrators' group which by default does not exist on a domain controller. This is a Microsoft Active Directory Domain Controller design limitation.

Go to solution
akashfinning
Tera Contributor

‎05-02-2023 04:16 AM - edited ‎05-02-2023 04:38 AM

So I am in 2023 now and asking same question @doug_schulze  is there any new update on installing agents directly on windows servers to bring these DC or still we will go for manual upload. I believe HTHD is now discontinued.

One good thing , we are able to discover VMware domain controllers through vCenter but issue with other environment.

0 Helpfuls

Go to solution
DaveHertel
Kilo Sage
Kilo Sage
In response to akashfinning

‎05-04-2023 07:18 AM

Hello - now in 2023 things have changed.  SNOW introduced Agent Client Collector in last year or so.   ACC is also a possibility for collecting info on servers (Win/Linux) that can run Ruby scripts (used by ACC under the covers).   Perhaps ACC can fulfill your biz-need.?   Read ACC docs here 

Go to solution
akashfinning
Tera Contributor

‎05-04-2023 08:09 AM

Thanks @DaveHertel for your quick response. I believe if we use ACC then there is no need of Domain admin rights requirement and the Domain controllers can be discovered without asking additional permissions?
Is installing ACC on each device will have more effort than what does Discovery do?

0 Helpfuls