Setting Permissions for Active Directory Scans

Local Windows Accounts

The scanning account needs the "Access This Computer From the Network" permission (and possibly one more) on the endpoint:

  1. Open the local group policy editor (gpedit.msc).

  2. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  3. Double-click the Access this computer from the network policy. The properties for the policy appears.

  4. Ensure the scanning account is one of the listed users. If not, click the Add User or Group button to add it.

  5. Look at the following list of operating systems and updates to determine if any of them match your system:

    • Windows 10, version 1607 and later
    • Windows 10, version 1511 with KB 4103198 installed
    • Windows 10, version 1507 with KB 4012606 installed
    • Windows 8.1 with KB 4102219 installed
    • Windows 7 with KB 4012218 installed
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2 with KB 4012219 installed
    • Windows Server 2012 with KB 4012220 installed
    • Windows Server 2008 R2 with KB 4012218 installed
    For more information on this security issue, see Network access: Restrict clients allowed to make remote calls to SAM.

Windows Services, Scheduled Tasks, App Pools, and COM+ Applications

There are special considerations for discovering service accounts running COM+ Applications, please contact IBM Security for more information.
If you run discovery against Windows Server 2016 or 2019, scheduled tasks are not discovered unless your instance or engine are on the same domain as the target server. On Windows Server 2016 and up, scheduled task discovery only gets a security identifier (SID) for the user that runs the task. Verify Privilege Vault has code to convert the SID to a username, but this only works if the code is being executed on the same domain as the scheduled task. If the SID cannot be translated, the scheduled task will not be saved with discovery.

To scan for service accounts, the account entered must be a domain account that is in the Administrators group on the target machines. Follow the instructions below in either case to ensure your account has the privileges to run a successful scan:

  1. Open the group policy editor for your domain policy.

  2. Go to ComputerConfiguration > Preferences > Control Panel Settings.

  3. Right-click Local Users and groups and select New > Local Group.

  4. Leave the Action dropdown list set to Update.

  5. Click to select Administrators (Built-in) in the Group Members dropdown list.

  6. Click the Add… button.

  7. Search for the account you will use for discovery scanning.

  8. Click the OK button to save your changes. The next time the group policy updates across your environment, the discovery account will be part of the local administrators group.

  9. For strong security, configure the group policy to limit the logon privileges of that account:

    1. Open the group policy editor

    2. For your domain policy, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

    3. Add your discovery account to the Deny log on locally policy.

    4. Add your discover account to the Deny log on through Remote Desktop Services policy.

    5. (Optional) Ensure the account is not part of the remote desktop users group.