Minimum Credentials Needed for Discovery of Windows Servers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-11-2010 08:31 AM
We are in the process of using Discovery to build our CMDB. We have given our Midserver service account local admin rights on our servers to allow for Discovery. However, we cannot give this type of access on domain controllers. Has anyone run into a situation where they've had to grant Discovery the least amount of permissions possible on a server in order to complete Discovery? If so, what were the permission settings. Did you grant specific permissions on the WMI service? Thanks for any info.
Rick
- Labels:
-
Discovery
-
Service Mapping
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-18-2010 09:52 AM
Thanks for the info. Where can I find the snc_discovery.js script? Is it contained in a specific probe? Thx
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-18-2010 10:36 AM
http://wiki.service-now.com/index.php?title=WMI_Discovery_Login_Script#WMI_Login_Script_Prior_to_Winter_2010_Stable_2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-11-2010 09:47 AM
I have read information on this subject that suggest that you create a ad account with minimal permissions, then go into the WMI control panel on each of the DC's being discovered and give that account access to the Root namespace and everything under it. I haven't tried this yet but it's on the to do list.
There is also this article that describes how you can grant WMI permissions via group policy.
http://blogs.msdn.com/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-14-2015 12:54 PM
I just tested this and it worked as desired. My initial test was to manually edit the WMI Security and run a Quick Discovery on one Domain Controller. Then I moved on to making the .vbs file and ran it on a different DC. It too worked as desired. Then I manually un-did it all so I can run it past the InfoSec Team to get their blessing on a security change. But its very promising!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-06-2016 08:39 AM
Rich, can you confirm that this works on Windows 2008 R2 Domain controllers ? We've been trying the same solution by granting a service account full permission to WMI root namespace on a domain controller and we are still receiving an access denied errors from both a VBS script that queries WMI and Discovery