Originally Posted by DM-AVAL
I'm managing a situation where an application (more details in link below) apparently needs access to WMI for discovery purposes (creation of inventory, business map, and so forth). The easy solution is to make the service account used a member of the local administrators group (already questionable) and domain admins group on domain controllers.https://community.servicenow.com/community?id=community_question&sys_id=30c347a5dbd8dbc01dcaf3231f96199a
Ideally, from a security best practices perspective (least privilege), we would simply exclude domain controllers from discovery but if that is not possible for whatever reason (politics), I would prefer to grant read-only access to WMI rather than making the account used a member of domain admins.
Has anyone had to do this?
It looks like "authenticated users" already has read access to WMI but the application may have to authenticate as a specific account - from what I'm reading.
More here too:https://docs.servicenow.com/bundle/geneva-it-operations-management/page/product/discovery/reference/r_PermissionReqWinCredentials.html
So would I create a simple domain user account but grant them explicit read-only access to WMI?
EDIT - it looks like there's other locations too: registry for example.
As usual, thanks in advance!