Forum Discussion
I think that's the conclusion I'm arriving at as well. I'm all about reducing the number of domain admins in our environment, but LogicMonitor's mandate/guidance on the topic seems half baked at best.
It's not really an LM issue, any remote connection system is going to have problems either WMI permission , WINRM connections just a whole bunch of stuff. This is from a similar type of product and its just a really exploded view of the whole permissions thing and trying to run powershell remotely.
https://docs.sciencelogic.com/latest/Content/Web_Vendor_Specific_Monitoring/Windows_PowerShell/chapter_03_config_PowerShell.htm
Easy way around all of this is, for regular Non DC and Workgroup machines, create a regular local account , lock that down, in AD deny RDP and local logon etc. Drop that account into the Admins group on the local servers. Use that account as wmi.user and wmi.pass. For all the DC's and workgroup machines, install a collector. Nano does work fine although its not officially supported in this configuration. Collector runs as 'local system' against itself only and has enough permissions . No Domain admin account required.
Some of our customers have 20 collectors each. Half a dozen on DC's a "main collector" for everthing else and all the workgroup standalones get a nano.
Its so much easier than dicking around with firewalls , WinRM certs , SDDL's and all that.
- MWW4 months ago
Neophyte
Thanks, this is a really interesting approach! At this point I'm torn between pursuing least privilege further, or just using a credential management system to auto-rotate the password on our collectors. What you just outlined does sound like a feasible approach.