NeophyteNeophyteoppps, just reread and saw your comments on SDDL, indeed it does need to be run on a schedule. Yeah I walked away from that. Like I'm going to run a set of re-permissioning scripts every couple of hours. The consequences of getting that script wrong and stuffing up all the permissions on all the servers were way too high.
NeophyteI think that's the conclusion I'm arriving at as well. I'm all about reducing the number of domain admins in our environment, but LogicMonitor's mandate/guidance on the topic seems half baked at best.
NeophyteIt's not really an LM issue, any remote connection system is going to have problems either WMI permission , WINRM connections just a whole bunch of stuff. This is from a similar type of product and its just a really exploded view of the whole permissions thing and trying to run powershell remotely.
https://docs.sciencelogic.com/latest/Content/Web_Vendor_Specific_Monitoring/Windows_PowerShell/chapter_03_config_PowerShell.htm
Easy way around all of this is, for regular Non DC and Workgroup machines, create a regular local account , lock that down, in AD deny RDP and local logon etc. Drop that account into the Admins group on the local servers. Use that account as wmi.user and wmi.pass. For all the DC's and workgroup machines, install a collector. Nano does work fine although its not officially supported in this configuration. Collector runs as 'local system' against itself only and has enough permissions . No Domain admin account required.
Some of our customers have 20 collectors each. Half a dozen on DC's a "main collector" for everthing else and all the workgroup standalones get a nano.
Its so much easier than dicking around with firewalls , WinRM certs , SDDL's and all that.
NeophyteThanks, this is a really interesting approach! At this point I'm torn between pursuing least privilege further, or just using a credential management system to auto-rotate the password on our collectors. What you just outlined does sound like a feasible approach.
