Discover Domain Controllers without Domain Admin rights.

jcanjura · ‎04-17-2020

How can I discover Domain Controllers without having Domain Admin rights?
We have a GPO that adds a Security Group to the Local Admins group on each Windows server, but for DCs that's similar to having Domain Admins rights (which is a big NO in our environment).
I found this same question at:

https://community.servicenow.com/community?id=community_question&sys_id=3251c329db98dbc01dcaf3231f9619ba

But at the end of the document it mentions "New technology is coming to replace and (vastly) improve the functionality.."
I have a couple of questions:

What's the 'new way' to discover DCs, including relationships?
If we need to use the "Help the Help Desk" script as a logon script, will that apply to every Windows Server in the environment?
- In other words, will the script replace the GPO we have already in place?
- Will the script still NOT create relationships between the server and the running apps?
- How will that impact Top-Down discovery (Service mapping)?

Thanks

DaveHertel · ‎06-16-2020

Hi - to address a couple of your questions

...use the "Help the Help Desk" script as a logon script, ....
>>> I believe this HTH is being phased out. Read more here
How will that impact Top-Down disco (Service mapping)
>>> for these CI's to be auto populated via SM, they have to be in the CMDB. They can get into the CMDB via automation, aka, Discovery or added as CI's manually. Its a bit of a catch-22 for SM because if you want full automation (i.e. no manual entry) then Discovery needs to scan/inventory it... which is blocked by the original point you brought up.

Its fairly common that Domain Controllers are excluded from discovery because of the reasons already noted.

Hope this helps?

View solution in original post

DaveHertel · ‎05-08-2023

Hi - it will certainly take more effort to install ACC per each device, compared to what Discovery can do if it's allowed permissions. The end result of what ACC vs. Discovery collects will me similar - populating the CMDB.

You are correct, with ACC there probably isn't a need for domain admin rights, but... the agent is running on a domain controller so there may be other hoops you have to jump thru to get it to work. I'm just guessing.. I haven't tried installing ACC on a domain controller.

akashfinning · ‎05-10-2023

@DaveHertel thank you so much , it helps me. 🙂

benitoperie · ‎09-11-2024

Hi @akashfinning

Were you able to successfully discover Domain Controllers with ACC without domain admin privilege in parallel or using a MID server with a service account?

Kalpan2 · 14 hours ago

Hello all,

First of all, thank you for raising this discovery challenge. We are in the same boat as well in 2026 (Zurich). We are using the Grouped Managed Service Account (gMSA) to run the ACC service on our set of DC's. The gMSA account is a domain account and resets password automatically which provides piece of mind from security perspective. However, during our pilot discovery scope, the ACC agent on a DC went down as the ACC service stopped and would not restart. Each time we try to restart the service, it throws an error "Error 1069: The service did not start due to a logon failure". This error is the result of failed credentials. We all know the Microsoft Active Directory Domain Controller design limitation - the user running the remote WMI queries should either be included in the domain administrators’ group or the 'local administrators' group which by default does not exist on a domain controller.

Has anyone found a way around this?