Least Privilege not showing full list of Windows Services
Using LogicMonitor in full admin mode (ie we connect with a service account with admin rights on the target windows server) has presented no issues. All metrics work perfectly, we can monitor ALL windows services. We are now rolling out "Least Privilege" to 1000+ servers and followed the step by step documentation and used the PowerShell script to apply permissions. The WMI aspects of monitoring work ok. However when monitoring "windows services" we can only see a subset of services. It seems anything that is out of the box before we install applications or solutions like IIS, SQL, Oracle etc etc does not appearing the list. Its noticeably a smaller list. Has anyone seen this in their environment? We are told there have been no other reports. If we make the service account a local admin - all services appear perfectly. In the documentation here: Windows Server Monitoring and Principle of Least Privilege | LogicMonitor there are 5 steps to eventually running a command "sc sdset scmanager...". This command also does not work. What are your experiences? have you seen the same issue and how did you overcome?
Issues automating Least Privelege at scale
I'm working through how to implement the least privelege "Windows_NonAdmin_Config" script in 100+ environments. In at least two, the LM service account we have is the only one with enough admin credentials to change the account to non-admin. I'm testing in our own internal systems to make sure I can get it to work. In my first go of it as both the LM Service account and using my own Admin creds in our environment, I'm getting errors: Has anyone else seen this? I'm going to keep chipping away at it as I'd like to come up with a purely LM solution to the shift due to the scale of the effort in our MSP environment. We do have ConnectWise Automate to utilize if I can't get this working, but right now, I can't even get it going using the instructions provided directly on the VM (in a console window using 'enter-pssession 127.0.0.1 -credential (get-credential)' to get a session with admin priveleges.
