Disable ad_pdh and ad_wmi tasks when the collector is installed with the local system account.

We install our Windows Collectors with the Local System account (our environment unfortunately contains multiple domains without transitive trusts) and rarely define WMI credentials unless we need that information.

The Active Discovery tasks that use PERFMON or WMI (ad_pdh & ad_wmi) are still trying to beat against our monitored Windows Servers with said Local System account and it's causing my Windows Server admins to complain to me that their security logs are filling up.

I've taken the extreme measure of going through all of our isWindows() datasources/eventsources and updating them to not apply unless wmi.pass is explicitly defined or the collector is installed (wmi.pass || hasCategory("Collector")).

The collector software should be able to programmatically differentiate between Local System vs any other account and when installed with Local System not to perform those Active Discovery tasks unless the device has wmi.pass.

Forum Discussion

Disable ad_pdh and ad_wmi tasks when the collector is installed with the local system account.

Related Content

Best Practices for Practitioners: Collector Installation and Configuration

Non-Admin Collector install

Least Privilege's script to set permissions on Services for Non Admin account.

Best Practices for Practitioners: Modules Installation and Collection

Issues with non-admin collector account

Recent Discussions

Dashboard Sharing – An Inline Framing Method

2021-12-15 US Office Hours

Live Training - Tuning Datapoints and Alerts - 15th JUNE 2022 - APAC

Live Training - Introduction to Dashboards - 18th MAY 2022 - APAC

2022-05-11- APAC Product Overview -Collectors, Resources/Groups, Dashboards