Local Administrator privileges
Why do you need this?
We do not expressly require admin privileges, however it is an easy way to ensure that inventory will proceed without having to do any special configuration.
Our agentless inventory requires a service account with the ability to:
- access C$,
- conduct a remote registry call, or
- launch a remote, read-only WMI call
Any combination of two of the three above access criteria will allow for a working Windows inventory. All 3 is preferred, for failover purposes (e.g. should a WMI hive be corrupt, for example).
That said, we typically ask for local admin to make setup as easy for our customers as possible, and some of our inventory work would ideally take place in the local space provided by the admin share (often ‘C$’).
Also, features of Windows such as UAC (User Account Control) and many services such as remote registry, remote WMI, and remote procedure calls are allowed to pass through when connecting as a local admin but are often blocked otherwise.
However, it is important to note that our inventory tool does not expressly require local administrator rights.
Domain Administrator privileges
Why do you need this?
Domain controllers do not have local administrator accounts. In those cases, we leverage this privilege level to conduct any inventory activities that would otherwise have leverage local admin privileges / the administrative share.
However, as above, an account with remote registry access and read-only remote WMI can successfully complete an inventory.
Domain Administrative privileges are a nice to have but not a must have.
Active Directory collection access
What access do you need?
To wholly and accurately inventory a domain controller, domain admin privileges are still ideal. However, as an alternative, we can use any account that is a member of the Domain Users group to collect Active Directory data using LDAP.
VMware Access
What access do you need?
We need an account with the read-only role assigned, set at the vCenter level, with propagation through all children elements enabled - see the screenshot at right.
If you are looking for VMware license application details, you should clone the read-only role and add Global > Licensing permissions. For further details see VMware Inventory Requirements
Why do you need this?
Microsoft and Oracle products, in particular, base their licensing in many cases on the architecture of the host upon which a guest VM is running. To properly offer licensing advice and ensure a customer is not exposed to compliance risk or overpaying for this software, we must understand the details of the guest/host relationship and the hardware specifications of the host servers.
Do you need root or administrator access?
Absolutely not. Our customers often choose to use the existing vCenter administrator accounts as it ensures the access level we require, but if this is not possible or undesirable, they can simply set up an account, with the read-only role, in your local SSO domain (for authentication across virtual domains) or directly on the ESXi hosts.