Account Permissions for Discovery

Entra ID

The Application Registration (mapped to an Azure Application Registration Secret) used for Entra ID Discovery must be assigned to the following roles:

  • EntitlementManagement.Read.All

  • RoleManagement.Read.Directory

  • User.Read.All

Permissions must be added as Application Permissions not Delegated Permissions.

Unix

Local Accounts

The scanning account needs to be able to connect over SSH and read the contents of /etc/passwd. If Discovery needs to take over an account then the scanning account will also need the ability to run sudo passwd <username>

During a remote password change, the passwd command is also used and the default local settings will apply.

SSH Public Keys

The scanning account needs the ability to login and execute sudo without a password prompt.

Please see Discovering SSH Public Keys for more information.

ESXi

The scanning account needs Shell Access and the Query VRM Policy permission.

Local Windows Accounts

The scanning account needs the Access this computer from the network permission (and possibly one more) on the endpoint:

  1. Access the windows command line and run gpedit.msc. The Local Group Policy Editor window will open.

  2. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  3. Double-click the Access this computer from the network policy. The properties for the policy appear.

  4. Ensure the scanning account is one of the listed users. If not, click the Add User or Group button to add it.

    Modifying this policy may overwrite or remove access to the device for remote processes. This policy is not usually configured by default, so any existing inherited permissions could be overwritten.

  5. Look at the following list of operating systems and updates to determine if any of them match your system:

    • Windows 10, version 1607 and later
    • Windows 10, version 1511 with KB 4103198 installed
    • Windows 10, version 1507 with KB 4012606 installed
    • Windows 8.1 with KB 4102219 installed
    • Windows 7 with KB 4012218 installed
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2 with KB 4012219 installed
    • Windows Server 2012 with KB 4012220 installed
    • Windows Server 2008 R2 with KB 4012218 installed
    For more information on this security issue, see Network access: Restrict clients allowed to make remote calls to SAM.

  6. If you found a match, do the following:

    1. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

    2. Double-click the Network access: Restrict clients allowed to make remote calls to SAM policy. The policy properties appear.

    3. Click the Edit Security button to select an account for the Security descriptor text box. The Security Setting for Remote Access to SAM dialog box appears.

    4. Ensure the scanning account is present (if not add it).

    5. Click the account in the Group or user names list. The permissions for that account appear.

    6. Ensure the Allow checkbox next to the Remote Access permission is selected.

    7. Click the OK button.

The discovery account must be a part of the local admin's group to be able to pull back any local accounts.

Windows Services, Scheduled Tasks, App Pools, and COM+ Applications

There are special considerations for discovering service accounts running COM+ Applications, please see COM+ Dependency Scanner.

To scan for service accounts, the account entered must be a domain account that is in the Administrators group on the target machine(s). Follow the instructions below in either case to ensure your account has the appropriate privileges to run a successful scan:

  1. Access the windows command line and run gpedit.msc. The Local Group Policy Editor window will open.

  2. Go to Computer Configuration > Preferences > Control Panel Settings.

  3. Right-click Local Users and groups and select New > Local Group.

  4. Leave the Action dropdown list set to Update.

  5. Click to select Administrators (Built-in) in the Group Members drop-down list.

  6. Click the Add… button.

  7. Search for the account you will use for Discovery scanning.

  8. Click the OK button to save your changes.

    The next time the group policy updates across your environment, the discovery account will be a part of the local administrators group.

  9. For stronger security, we suggest configuring the group policy to limit the login privileges of the Discovery account:

    This will also require you to use a different account (separate from the discovery account) to rotate dependencies.

    1. Access the windows command line and run gpedit.msc. The Local Group Policy Editor window will open.

    2. For your domain policy, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

    3. Add your discovery account to the Deny log on locally policy.

    4. Add your discovery account to the Deny log on through Remote Desktop Services policy.

    5. (Optional) Ensure the account is not part of the remote desktop users group.

  10. Do not put dependency changers in these policies:

    • Deny access to this computer from the network.

    • Deny log on Locally.

  11. We recommend putting dependency changers in these policies:

    • Deny log on as a batch job.

    • Deny log on as a service.

    • Deny log on through Remote Desktop Services.