Using a Local or Non-Admin Active Directory User Account
Monitoring a server with something other than a domain admin account is possible. To be able to do this you will need to give the monitoring account
certain permissions by adding the account to different groups on each server. Listed
below are the changes needed to monitor a non-domain controller server across the network.
Monitoring a Domain Controller
When monitoring a server that is a domain controller, and using something other than a domain administrator account is desired, you will need to use a Satellite on the domain controller and have it run as Local System.
The reason for this is that local user accounts don't exist on a domain controller, but admin rights are often still needed.
To be able to take advantage of the Satellite feature to monitor
a domain controller you will need to use the Ultra product edition.
Monitoring Non-Domain Controller Servers
An approach to using non-domain admin accounts is to create local monitoring accounts on each server (similar to the LAPS approach). These accounts would all
have unique credentials and would have the required access to monitor local resources.
Listed below are the changes that need to be made to a monitored server to use a local user account or
a non-admin domain account for monitoring. After the changes have been made, the monitoring service needs to be restarted as changes to user accounts do not take effect until the next time the user account logs in.
Local accounts, or non-domain admin accounts need to be added to the following local server groups based on the type of monitoring that will be done:
- Disk Space Monitoring - add to local Administrators group
- Event Log Monitoring - add to local Event Log Readers group
- Performance Monitoring - add to local Performance Monitor Users group
- Services Monitoring - add to local Administrators group
Add User Account to the User Groups on the Server
- 1. Open Local Users and Groups (lusrmgr).
- 2. Create a new user account - Right click on User and then select New User. You can skip this step if you already have a user account.
- 3. Adding Users to Groups - Select Group based on the type of monitoring to be done.
Disk Space Monitor - Administrators group
Event Log Monitor - Event Log Readers group
Performance Monitor - Performance Monitor Users group
Services Monitor - Administrators group
- 4. Double click a Group then click the Add button to add user.
Restart the Monitoring Service
The changes to the user account will not take affect until the account is logged in again. Restart the monitoring
service to force fresh logins.
The above changes will not affect Windows Firewall restrictions. A list of standard ports used by the monitoring
service is shown on Monitoring Remote Servers Through Firewalls.