Javascript must be enabled to download our products and perform other essential functions on the website.

ionicons-v5-m
ionicons-v5-j
Buy Now Download Free Trial
ionicons-v5-m
ionicons-v5-f

Using a Local or Non-Admin Active Directory User Account

Monitoring a server with something other than a domain admin account is possible. To be able to do this you will need to give the monitoring account certain permissions by adding the account to different groups on each server. Listed below are the changes needed to monitor a non-domain controller server across the network.

Monitoring a Domain Controller

When monitoring a server that is a domain controller, and using something other than a domain administrator account is desired, you will need to use a Satellite on the domain controller and have it run as Local System. The reason for this is that local user accounts don't exist on a domain controller, but admin rights are often still needed. To be able to take advantage of the Satellite feature to monitor a domain controller you will need to use the Ultra product edition.

Monitoring Non-Domain Controller Servers

An approach to using non-domain admin accounts is to create local monitoring accounts on each server (similar to the LAPS approach). These accounts would all have unique credentials and would have the required access to monitor local resources.

ionicons-v5-h

When using a non-domain account, a local administrator account will not have administrator rights when connecting remotely because of UAC. A registry setting can change this effect.

Read more at: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction.


Listed below are the changes that need to be made to a monitored server to use a local user account or a non-admin domain account for monitoring. After the changes have been made, the monitoring service needs to be restarted as changes to user accounts do not take effect until the next time the user account logs in.

Local accounts, or non-domain admin accounts need to be added to the following local server groups based on the type of monitoring that will be done:

  • Disk Space Monitoring - add to local Administrators group
  • Event Log Monitoring - add to local Event Log Readers group
  • Performance Monitoring - add to local Performance Monitor Users group
  • Services Monitoring - add to local Administrators group

Add User Account to the User Groups on the Server

  1. 1. Open Local Users and Groups (lusrmgr).
  2. 2. Create a new user account - Right click on User and then select New User. You can skip this step if you already have a user account.
  3. Local User and Groups Add New User
  4. 3. Adding Users to Groups - Select Group based on the type of monitoring to be done.
       Disk Space Monitor - Administrators group
       Event Log Monitor - Event Log Readers group
       Performance Monitor - Performance Monitor Users group
       Services Monitor - Administrators group
  5. Local User and Groups
  6. 4. Double click a Group then click the Add button to add user.
  7. Local User and Groups Add User

Restart the Monitoring Service

The changes to the user account will not take affect until the account is logged in again. Restart the monitoring service to force fresh logins.

The above changes will not affect Windows Firewall restrictions. A list of standard ports used by the monitoring service is shown on Monitoring Remote Servers Through Firewalls.

Wow, you guys are GOOD! Go get yourselves some lattes or something. :-) I won't be able to try the update for a little while, but the effort alone makes me smile.

Jeremiah B., FLEXcon, USA ionicons-v5-b