Discover Domain Controllers without Domain Admin rights.

Go to solution
jcanjura
Mega Expert

‎04-17-2020 09:24 AM

How can I discover Domain Controllers without having Domain Admin rights?
We have a GPO that adds a Security Group to the Local Admins group on each Windows server, but for DCs that's similar to having Domain Admins rights (which is a big NO in our environment).
I found this same question at:

https://community.servicenow.com/community?id=community_question&sys_id=3251c329db98dbc01dcaf3231f9619ba

But at the end of the document it mentions "New technology is coming to replace and (vastly) improve the functionality.."
I have a couple of questions:

  • What's the 'new way' to discover DCs, including relationships?
  • If we need to use the "Help the Help Desk" script as a logon script, will that apply to every Windows Server in the environment?
    • In other words, will the script replace the GPO we have already in place?
    • Will the script still NOT create relationships between the server and the running apps?
    • How will that impact Top-Down discovery (Service mapping)?

Thanks

 

Labels:
0 Helpfuls
  • 5,828 Views
1 ACCEPTED SOLUTION

Go to solution
DaveHertel
Kilo Sage
Kilo Sage

‎06-16-2020 03:12 PM

Hi - to address a couple of your questions

  • ...use the "Help the Help Desk" script as a logon script, ....
    >>> I believe this HTH is being phased out.  Read more here

  • How will that impact Top-Down disco (Service mapping)
    >>> for these CI's to be auto populated via SM, they have to be in the CMDB.  They can get into the CMDB via automation, aka, Discovery or added as CI's manually.   Its a bit of a catch-22 for SM because if you want full automation (i.e. no manual entry) then Discovery needs to scan/inventory it... which is blocked by the original point you brought up.

Its fairly common that Domain Controllers are excluded from discovery because of the reasons already noted.

Hope this helps?

View solution in original post

17 REPLIES 17

Go to solution
DaveHertel
Kilo Sage
Kilo Sage
In response to akashfinning

‎05-08-2023 02:03 PM

Hi - it will certainly take more effort to install ACC per each device, compared to what Discovery can do if it's allowed permissions.   The end result of what ACC vs. Discovery collects will me similar - populating the CMDB. 

 You are correct, with ACC there probably isn't a need for domain admin rights, but... the agent is running on a domain controller so there may be other hoops you have to jump thru to get it to work.  I'm just guessing.. I haven't tried installing ACC on a domain controller.

Go to solution
akashfinning
Tera Contributor

‎05-10-2023 02:41 AM

@DaveHertel thank you so much , it helps me. 🙂

0 Helpfuls

Go to solution
benitoperie
Tera Contributor
In response to akashfinning

‎09-11-2024 08:10 PM

Hi @akashfinning 

Were you able to successfully discover Domain Controllers with ACC without domain admin privilege in parallel or using a MID server with a service account?

0 Helpfuls