Discovery with a normal user (non-admin user)

klautrup · ‎10-02-2017

Hi,

I have enabled ServiceNow Discovery on my personal developer instance to see if it is something we want to invest in.

According to the documentation:

https://docs.servicenow.com/bundle/jakarta-it-operations-management/page/product/discovery/reference...

It should be possible to use a normal user for scanning windows servers as long as that user has access to the required windows classes.

To test this I have locally on a target windows server created a normal user named 'Mid456' adding it as member of 'Users' and 'Performance Log Users' ('Performance Log Users' seems to be necessary to allow remote WMI):

The documentation mentions that a normal user requires access to these windows classes:

https://docs.servicenow.com/bundle/jakarta-it-operations-management/page/product/discovery/reference...

So to test under 'WMI Control' I gave the 'Mid456' user full access to 'root' and all sub folders:

I'm now able to test connecting using windows 'wbemtest':

And I'm able to test the credentials from ServiceNow:

If I then do a Quick Discovery, Discovery is able to login to the server and create the CI.
However, I get some errors:

Looking at the created CIs these errors seem to have something to do with missing information about 'Serial Number', 'RAM', 'Disk space (GB) and 'Chassis type':

And missing information about 'Storage Devices', 'File Systems', 'Serial Numbers', 'Memory Modules' and 'TCP Connections':

If I add the 'Mid456' user to 'Administrators' all these information are obtained and I don't see the 2 warning in the Discovery Status log.

Any idea why Discovery using a non-admin user is not able to obtain all information (according to the documentation it should be)?

Another strange behaviour using the non-admin user is that after each successfully scan Discovery is no longer able to scan or to test credentials successfully:

I tried to restart the MID server which doesn't help.

But if I update the 'WMI Control' access on the target windows server for instance by removing the access for the user 'Mid456' and re-adding it:

I'm again able to test the credentials and do 1 scan until it again fails.

If I grant the 'Mid456' users local admin access to the server I don't see this problem.

Anybody who have actually successfully been able to fully scan windows target servers using a non-admin local or AD user?

doug_schulze · ‎10-04-2017

To compliment Davids response.. It is possible to have a local user discover your systems however you will only get asset (hardware information) you will not get application relationships for two reasons.

1. You wont have access to the admin share, as David perfectly talks to, although you could set up a specific share that only your user can access (after modifying the ADM probe)

2. You will not see TCP connections (netstat) outside the context of your local user, if you configure that user access to that admin only command

So if all you are looking for is asset information, absolutely you can configure a non-admin user to discover your systems however you will be faced with having to manage that user and all queries that Service now makes across all releases of your OS's. Add that we develop with a Local Admin credential you might miss out on future capabilities. And finally, there is only so much help our friends in support can provide, if you are having access issues it most likely is going to be a discussion between you and Microsoft in managing your user security.

So its best to configure a domain user that has local admin privileges on the targets you are looking to discover to experience the full breadth and capabilities that Discovery has to offer..

View solution in original post

adilrathore · ‎10-02-2017

As you are using a local account, I believe the UAC is still enabled on the machine and that would be block these WMI scans unless you have Remote UAC access token filtering disabled.

klautrup · ‎10-02-2017

Hi Adil,

We will not be allowed to disable UAC on all our windows servers.

However, on my test server I believe I disabled UAC by adding this registry key:

As described here:

https://support.microsoft.com/da-dk/help/951016/description-of-user-account-control-and-remote-restr...

Trying to re-scan the server I get same result where the Discovery Log shows the 2 warnings and 'RAM', 'Serial Number' etc. information is not added to the CI.

adilrathore · ‎10-02-2017

I believe that the non-admin user would not have access to the admin$ share due to which it would not be able to run the wmic commands remotely.

You can test this by running the command manually from the MID Server.

wmic /USER: "UserName" /NODE: "PCName" bios get serialnumber

klautrup · ‎10-02-2017

Hi,
No I don't think I will be allowed to have a non-admin user with access to $share.
Also I don't see that listed as a requirement for having a non-admin user for Discovery.

However, I am allowed from the server where the MID server is running to open a command prompt and use wmic as you suggested towards the target windows server which I want to scan:

And that user "Mid456" on the target windows server only belongs to "Users" + "Perfomance Log Users", so not an administrator: