This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
BMC Discovery 11.3
How to discover Domain Controller machines without using a domain admin account?
An administrator account is recommended for Windows scans. Without this level of permissions, only partial data is discovered. Also, the RemQuery utility can only be run as an administrator user. Without RemQuery, the scan cannot perform the following actions:
- Get network connection information from basic discovery
- Get files from patterns
- Run commands from patterns
For more info see https://docs.bmc.com/docs/display/DISCO113/Windows+proxy+permissions.
The Domain Admin credential can be specified in a Windows AD proxy, rather than in a Discovery credential. In this way, the credentials are only owned and maintained by the Windows administrator, and are not known by Discovery in any way.
The only other possible solution is to create a new, non-admin domain account in the DC, and then add enough rights and permissions to it to make it usable by Discovery. It would include access to some shares like C$ and home$ and to execute administrative commands. This would not be a simple task and BMC doesn't have guidance on everything that would be needed. There is some information about this in the doc mentioned above.