why does windows credentials need to be a part of local admin group on the target windows host

supriyarajp · ‎07-14-2025

In our project, we are going to do IP based discovery for citrix worker machines using IP subnet but we would need a domain user which will then needs to be a part of local domain group on the target windows hosts. Thought it will be a non interactive account but we are unable to get approval for this approach. is there any other way we can do this

Shreya Jain1 · ‎07-15-2025

Hi @supriyarajp,

We need local admin for Application Dependency Mapping. Discovery runs a command called 'netstat' to check all TCP connections incoming and outgoing from device.

netstat command is allowed to run with admin user.

supriyarajp · ‎07-15-2025

@Shreya Jain1 do you know the commands it run, also if you found relative article, please do share

Pratiksha · ‎07-15-2025

Netstat is only admin command. Their are few more. You can explore JEA if you dont want to give admin privileges. If customer has hard stop on creating credential explore agent based discovery.

(

Application Dependency Mapping needs it to gather application dependencies we run the commandNetstat to gather TCP connections sent and received by a target
Discovery uses this information to map the communications that applications are making to one another.

Netstat by default is an Admin only command

Note: Netstat can be exposed to a read only user but will only get connections in the context of that user.)

RawelS · ‎07-15-2025

Another way is to use JEA (Just Enough Administration). Below mentioned is the documentation link.

https://www.servicenow.com/docs/bundle/yokohama-it-operations-management/page/product/discovery/conc...