ServiceDesk Plus needs a domain Admin account

Barwa
Barwa used Ask the Experts™
on
In order for AdventNet servicedesk plus to work and be able to discover machines and users on our windows server 2003 domain , it requires a domain admin account

Is that absolutely necessary?
Can we keep it running with a normal domain user account?

Regards
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Awarded 2009
Top Expert 2010

Commented:
It doesn't need a domain admin account it just needs an account that can read from Active Directory
bluntTonyHead of ICT
Top Expert 2009

Commented:
I'm sure you would be able to run under a non-admin account, providing that you delegate all the required rights that AdventNet needs to perform all of it's tasks,
You can delegate the right to reset passwords, unlock accounts etc, but like I say, it depends on all the required tasks.
Tony
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Awarded 2009
Top Expert 2010
Commented:
All adventnet needs is to search these users from AD to provide integrated authentication - is that what you are refering to barwa?
I use AdventNet and we use a standard user to update requester information from Active Directory.

We don't even delegate the permissions

Author

Commented:
Thanks for the prompt response , but the application did not require unless we provide a domain admin account!

Author

Commented:
Sorry my last pose should read "......did not work unless we provide ......"

Commented:
I have no knowledge of this product so leaving to dezmaster and others
Awarded 2009
Top Expert 2010

Commented:
Which screen are you entering a domain admin account?
I have just imported user information using a test account with 100% success.

Account is a member of Domain Users only.
adventnet.jpg
Awarded 2009
Top Expert 2010

Commented:
sorry forgot the inprocess screen shot
adventnet2.jpg
bluntTonyHead of ICT
Top Expert 2009

Commented:
I was speaking generally - no specific knowledge of this software so over to Demazter :-)

Author

Commented:
I am referring to the below screen

I am not sure where can I find the screen you have posted



Asset-Discovery.JPG
Awarded 2009
Top Expert 2010
Commented:
OK that's the asset scan which requires access to the WMI on the local computers.
For this the user either needs to be a domain admin or a member of the administrator local group on the computers.

You can setup a user, add them to a AdventNet security group on your domain and then use Group Policy to place that group into the local administrator group on each computer.

Author

Commented:
Thank you demazter but in either case that user will end up with full access to each and every machine in the domain , that is a big security concern for us

Frankly , I don't think its a good idea to trust applications like this to have unrestricted access to our machines
Awarded 2009
Top Expert 2010
Commented:
The other option is to not use the asset management part of the software, the company I support that has AdventNet also use System Centre Configuration Manager.

I am afraid the information detailed above it the only option.
bluntTonyHead of ICT
Top Expert 2009
Commented:
oh, in that case (generally speaking again of course), then you could look at managing WMI security via group policy.

The reason it's asking for Domain Admin privileges is because members of this group have local admin access to all machines and can access WMI remotely.
There is no (to my knowledge) any native way to set wmi policy via GPO. You can do it locally on a machine using wmimgmt.msc, and I found this method of outputting the DACL of a test machine and applying this to other machines using a script, pushed out via GPO. I have to I haven't tested this so make sure you do. If you mess up WMI permissions across your network there will be tears! :-)

http://blogs.msdn.com/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx
This way you can grant access to WMI without giving full admin access to the machines.

Author

Commented:
So its either take it or leave it when it comes to third party software
We tend to trust MS software because we don't have a choice but when it comes to 3rd party software we have to think twice

Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial