Discovery of Active Directory Domain Controllers

Doanna · ‎01-10-2022

For Discovery of Active Directory Domain Controllers, what level of access does the credential have?

Does this have to be a domain Admin access?

What happens if the security does not allow providing the Admin Access to SNOW?

Rahul Priyadars · ‎01-10-2022

Yes - It needs Domain Admin to run discovery.

It's a windows requirement to have domain admin rights not SN . With Domain Admin rights you can fire commands/scripts for discovery.

if Security do not allow- Create these DCs manually or TRY JEA approach for Domain Controllwer discovery.

Regards

RP

doug_schulze · ‎01-11-2022

You might also consider using the Agent Client Collector as well if they aren't going to give you credentials.

itpro72 · ‎10-11-2022

We are disallowed from having a service account in the domain admin group. The acceptable workaround is that the service account is manually put into the built-in administrator's group on each DC. This gives full access to the host and all running processes for the purpose of discovery but does not in and of itself grant any domain privileges. The only reason this needed any exception at all is that if the credential is compromised that account could logon to a DC and put itself into the domain admin group. But having an account that could elevate itself was much more acceptable than having an elevated account.