Discovery: How to discover Domain Controller machines without using a domain admin account?

Version 3
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Discovery


    COMPONENT:

    BMC Discovery 11.3


    APPLIES TO:

    BMC Discovery



    QUESTION:

    How to discover Domain Controller machines without using a domain admin account?

     


    ANSWER:

     

    Legacy ID:KA389745

      

    An administrator account is recommended for Windows scans. Without this level of permissions, only partial data is discovered.  Also, the RemQuery utility can only be run as an administrator user. Without RemQuery, the scan cannot perform the following actions:

      
       
    • Get network connection information from basic discovery
    •  
    • Get files from patterns
    •  
    • Run commands from patterns
      

    For more info see https://docs.bmc.com/docs/display/DISCO113/Windows+proxy+permissions.

    Some suggestions:

    The Domain Admin credential can be specified in a Windows AD proxy, rather than in a Discovery credential. In this way, the credentials are only owned and maintained by the Windows administrator, and are not known by Discovery in any way.

    The only other possible solution is to create a new, non-admin domain account in the DC, and then add enough rights and permissions to it to make it usable by Discovery. It would include access to some shares like C$ and home$ and to execute administrative commands. This would not be a simple task and BMC doesn't have guidance on everything that would be needed. There is some information about this in the doc mentioned above.
     

      
      

     


    Article Number:

    000266291


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles