none
Permission on Domain Controller RRS feed

  • Question

  • Hi,

    My customer is extremely concerned about the use of domain admin account to run MAP (5.0) against the domain controller. They want to know what specific permissions can they give to a non-domain account to allow MAP to work.

    Please advise.

    Spencer

    Tuesday, August 10, 2010 6:31 AM

Answers

  • MAP uses WMI (Windows Management Instrumentation) to gather inventory information from computers and by default an admin account is required to connect to WMI.  Although it is possible to change these permissions, this is an atypical configuration and is not something the MAP team tests.  I did a little research to find information about changing these permissions and included what I found below, but be aware that I have not tried this out myself and I can't speculate on the possible side effects of making these changes.

    You can change the permissions required to connect to WMI using the WMI Control UI, in particular see these articles:

    http://technet.microsoft.com/en-us/library/cc731011.aspx

    http://technet.microsoft.com/en-us/library/cc753706.aspx

    However, just because an account can connect to a WMI namespace doesn't mean that the account can access all the information exposed in that namespace because permissions on the objects being accessed may still require administrative rights.  This follows from this quote from the first link above:

    "Windows Management Instrumentation (WMI) supports a limited form of security that validates each user before the user is allowed to connect to WMI, on a remote or local computer. This security is layered on top of operating system security. WMI does not override or circumvent security provided by the operating system."

    Performance data is collected via a remote interface to the Windows Registry and by default this interface requires an admin account in order to access the data. I found this old support article (http://support.microsoft.com/default.aspx?scid=kb;en-us;164018) that describes changing the permissions required to access this data, but I'm not sure if this information still applies to more current OSes.

    • Marked as answer by kysq Tuesday, September 7, 2010 11:04 AM
    Wednesday, August 11, 2010 4:23 PM

All replies

  • Just to make sure I understand the scenario, I have a few clarifying questions:

    1. Is this in the context of using Active Directory to discover computers? This is what happens when you select "Use Active Directory Domain Services (AD DS)" on the "Discovery Methods" page in the Inventory and Assessment Wizard.
    2. Or, is this in the context of selecting "Exchange Server" on the "Inventory Scenarios" page of the Inventory and Assessment Wizard?  Here the description says "This inventory scenario uses Active Directory Domain Services (AD DS) ... to collect information about Microsoft Exchange Server..."
    3. Or, is this an objection to specifying a domain admin account in MAP altogether?

     

    Tuesday, August 10, 2010 5:19 PM
  • Just to clarify, we are performing inventory as well as performance metric collection.

    It is more like 3. For all other servers, we can use a domain account (non-domain admin) with local admin rights. However, to target domain controllers, I presume this means a domain admin account (since there is no local account).

    In short, what specific permission do we need in order to discover, inventorize and to gather perf-metric from a domain controller?

    Wednesday, August 11, 2010 2:45 AM
  • MAP uses WMI (Windows Management Instrumentation) to gather inventory information from computers and by default an admin account is required to connect to WMI.  Although it is possible to change these permissions, this is an atypical configuration and is not something the MAP team tests.  I did a little research to find information about changing these permissions and included what I found below, but be aware that I have not tried this out myself and I can't speculate on the possible side effects of making these changes.

    You can change the permissions required to connect to WMI using the WMI Control UI, in particular see these articles:

    http://technet.microsoft.com/en-us/library/cc731011.aspx

    http://technet.microsoft.com/en-us/library/cc753706.aspx

    However, just because an account can connect to a WMI namespace doesn't mean that the account can access all the information exposed in that namespace because permissions on the objects being accessed may still require administrative rights.  This follows from this quote from the first link above:

    "Windows Management Instrumentation (WMI) supports a limited form of security that validates each user before the user is allowed to connect to WMI, on a remote or local computer. This security is layered on top of operating system security. WMI does not override or circumvent security provided by the operating system."

    Performance data is collected via a remote interface to the Windows Registry and by default this interface requires an admin account in order to access the data. I found this old support article (http://support.microsoft.com/default.aspx?scid=kb;en-us;164018) that describes changing the permissions required to access this data, but I'm not sure if this information still applies to more current OSes.

    • Marked as answer by kysq Tuesday, September 7, 2010 11:04 AM
    Wednesday, August 11, 2010 4:23 PM