With the new security push for us to use non admin accounts. If anyone would like I to have a script that can run on Domain and one for Workgroup Servers. That iterates though all services and applies correct SDDL for least privilege's account. Extract these to c:/temp, add your list of servers (or for the workgroup add the single server to the serverlist.txt) and then run the RunScript.ps1You'll need a local admin account to run with for Workgroup ServerYou'll need a DA account to run for list of Domain Servers. PM me if you are interested ;)

Hi Suzanne its a one time process. Anytime you provision a new server thou it will need to be run as part of your provision process.

Least Privilege's script to set permissions on Services for Non Admin account.

Barb
Advisor
3 months ago
Hi Suzanne its a one time process. Anytime you provision a new server thou it will need to be run as part of your provision process.
Cole_McDonald
Professor
2 months ago
Morning folks... I'm at the beginning of a new deployment and am with an MSP... so we're about to deploy exactly this at scale. We're avoiding local admin as well and are working out how to get WMI to respond correctly without granting full access to every machine.

A primary reason domain admin is such a security risk is that it grants local admin through group memberships to every machine. Having that happen manually seems to undermine the initiative of "least" privilege, so we're pushing through the effort of finding the correct and reproducible way to grant read access to WMI without having to resort to any manual processes.

I potentially have a few thousand of these to do since we have to make changes to every device we're bringing into our fresh portal. Ideally, I'd like to find a way to be able to push this from the LM interface itself once the collector is setup in the environment. Not sure how I'm going to implement that yet, but with the service itself running under a "just enough access" cred, will probably need it to access a domain admin account just for this effort.

In the past, I've used property sources to use as scheduled task types of scripts... they don't need to pull any metrics, and can just write a status update into a property on each device once completed. I'll most likely deploy this way once we figure out the magic sauce for the WMI class access without having to manually open XP era admin tools.
Cole_McDonald
Professor
2 months ago
I should also add... we're trying to avoid anything that isn't manageable via domain group memberships... so we'll need to have any changes to access locally happen via a domain level group... that way, new deployments will be identical from customer environment to customer environment regardless account naming conventions or varying customer requirements for such things.
SuzanneShaw
Community Manager
3 months ago
Barb, this is super helpful insight. How often do you find you need to do this? Like is this a one-time process, or is it something you have to repeat?
- Cole_McDonald
  Professor
  2 months ago
  Based on how the script from LM works... any new software that runs from a service that needs to be monitored will need the SDDL applied to it as well... so we have a version of our final script in our RMM that runs and searches for Services that don't match the SDDL, and adding it for them.

Forum Discussion

Least Privilege's script to set permissions on Services for Non Admin account.

Related Content

Least Privilege not showing full list of Windows Services

Issue with threshold permissions in new UI

vmWare vCenter Server - permissions

Windows Least Privilege and polling (WinServer)

SQL Server Services Status

Recent Discussions

Alert/Alerts API endpoint

SQL Monitoring Troubles

Modules for Zerto monitoring

Modules for Citrix Cloud/DaaS/VAD monitoring

Support for Veeam 11 PowerShell Module