Here's what dan.sherwin sent over:
(note: this has not been recently/fully tested)
Or you can use this..local changes may or may not need to be modified
We have identified the following requirements for the service account to properly perform the discovery scans, without full administrator authority:
(1) DCOM permissions — remote activation
(2) WMI permissions — remote enable at the root level
(3) Cmd.exe — read and execute permissions
(4) Netstat.exe — read and execute permissions
(5) Shared Folder — modify permissions to a share on the server where the output from the netstat.exe command is written
Here are the details for step 1 and 2
Step 1 above
- Run "dcomcnfg"
- Go to "Console Root -> Component Services -> Computers"
- Right-click on "My Computer" and choose "Properties"
- Select "Com Security" tab
- Click "Edit Limits" in "Launch and Activation Permissions" part
- Add user and check "Remote Activation"
- Click "OK" twice to apply
- Close the window
Step 2 above
- Open "Control Panel -> Administration -> Computer Management"
- Go to "Computer Management (Local) -> Services and Applications"
- Right-click "WMI Control" and select "Properties"
- Go to the "Security" tab
- Click "Security" button
- Click "Advanced" button
- Add user
- Check "Remote Enable" and ensure it will apply to "This namespace and subnamespaces"
- Click "OK" three times to apply
- Close the window
