- My View
In my company there are computers in a domain as well as computers which are not in domain.
While discovering network using domain administrator we have all needed data and all is fine.
But in case of using local administrator in a computers which are in domain - discovery doesn't work.
We are using local admin credentials in the following format: ".\administrator"
DCOM and WMI are enabled on those PCs.
In case of switching off User Access Control (UAC) on local PCs - credentials are passed and discovery works.
How can we discovering these PCs using local admin credentials and NOT switching off UAC ?
Can anyone advise on this matter?
Interesting concept, but wouldn't it be easier to just add a domain user account to the local admin group and use that account as your discovery account?
We cannot add domain user account to the local admin group because computer(s) is/are not on domain.
using the WMI script
You mean using orchestration? Is that only one way to resolve my issue? Or there are some another ways?
Not at all.. The wmi script can be run locally on the machine if you have an absolute requirement of NOT shutting of UAC and ONLY having a local account. you can run that script on a schedule locally to discover the machine from the inside.
Discovery of a domain computer with a local admin account should also work just fine (no UAC).. as is discovering a domain computer with a domain user that has local admin privileges.. You should have no reason to utilize a Domain Administrator, unless of course you wanted to.. but again, not necessary
So algorithm is in the following:
- run shell script in those PC and save data to .txt file
- move this file to MID server
Now MID server has, for example, 20 .txt files from 20 PCs.
- MID server should open and parse this file (HOW to do that?? Probably Import Sets by schedule ?? If so - how to know where each value from file should be stored in a specific column in DB)
the Shell script? Not at all.. the script (java script) itself will report directly to the instance. Have a read of this link.. should help the understanding...
We have found a way to resolve our issue by enabling remote UAC:
There is a parameter needs to be added to registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
parameter is DWORD (32-bit) with name LocalAccountTokenFilterPolicy set to 1
All is ok right now as per our requirements.
But is there any objections/risks using this approach?