Windows server discovery - no local admin privileges

chandra_ym
Kilo Expert

Hi,

Windows team in our organization is hesitant to provide the local admin privileges to the service account that we are going to use for the discovery of Windows servers.

Basic Windows server attributes, Softwares installed, processes running, Network Adapters are part of the discovery requirement.

Without local admin privileges for the service account, what attributes and application dependency mapping info are we going to miss in the discovery.

Regards,

Chandra

1 ACCEPTED SOLUTION

Dave Smith1
ServiceNow Employee
ServiceNow Employee

Without local admin privileges for the service account, what attributes and application dependency mapping info are we going to miss in the discovery.


Quite a number.   Show them the discovery patterns and probes used to interrogate a windows platform so that they understand there are a few privileged commands there.


Windows team in our organization is hesitant to provide the local admin privileges to the service account that we are going to use for the discovery of Windows servers.


If they're managing this kit... aren't they the ones performing the discovery?



This is always a contentious issue, and it stems from the fact that those trying to capture these CIs that are brought under configuration control differ from those actually managing the CIs - causing a clash.



Simply put: if they don't want to enable discovery on their kit, then make them responsible for manually keeping the CMDB up to date with kit in their area of responsibility.   If they want to create a service account that enables discovery read-only access to windows attributes, they can easily enable auditing and check what's being run then verify it's safe.


View solution in original post

9 REPLIES 9

bernyalvarado
Mega Sage

Hi Chandra,



You must have local admin since it requires access to wmi.



Thanks,


Berny


bernyalvarado
Mega Sage

My recommendation will be to bring an expert to discuss with the respective stakeholder groups within your organization so that they can understand the fears and speak with authority into what's required and the associated risks behind each access required to perform Discovery.



Thanks,


Berny


bernyalvarado
Mega Sage

We at Volteo can help you out with that if you're interested... ! It's often step #1 in any ITOM implementation.



Thanks,


Berny


VivekSattanatha
Mega Sage
Mega Sage

Hi Chandra,



You will lose Application dependency mapping since it requires netstat. You need local admin privilege to run netstat commands.



Regards,


Vivek