AdvisorHi Suzanne its a one time process. Anytime you provision a new server thou it will need to be run as part of your provision process.
ProfessorMorning folks... I'm at the beginning of a new deployment and am with an MSP... so we're about to deploy exactly this at scale. We're avoiding local admin as well and are working out how to get WMI to respond correctly without granting full access to every machine.
A primary reason domain admin is such a security risk is that it grants local admin through group memberships to every machine. Having that happen manually seems to undermine the initiative of "least" privilege, so we're pushing through the effort of finding the correct and reproducible way to grant read access to WMI without having to resort to any manual processes.
I potentially have a few thousand of these to do since we have to make changes to every device we're bringing into our fresh portal. Ideally, I'd like to find a way to be able to push this from the LM interface itself once the collector is setup in the environment. Not sure how I'm going to implement that yet, but with the service itself running under a "just enough access" cred, will probably need it to access a domain admin account just for this effort.
In the past, I've used property sources to use as scheduled task types of scripts... they don't need to pull any metrics, and can just write a status update into a property on each device once completed. I'll most likely deploy this way once we figure out the magic sauce for the WMI class access without having to manually open XP era admin tools.
