Windows probe required privilege levels

The amount of functionality a probe has is defined by the type and level of login credentials the probe has during installation. The credentials you provide during the probe installation are stored in the Windows Credentials (OS level), and by the probe locally in an encrypted config file.

Probe remote tasks and required privileges / user groups

The Windows Probe service runs using the domain or local account, or using the Local System account. If you do not provide the domain or local credentials, the probe runs using the Local System account.

The table below summarizes what groups the probe account needs to perform remote tasks.

For example, when a domain user that belongs to the Distributed COM users, the Performance Monitoring user groups can discover Windows devicees and monitor them using WMI.

To install the agent, the domain user requires local administrator privileges.

Remote Task Remote Objects User Group Required
Discovery of Windows device (WMI)
  • WMI namespace queries
  • Distributed COM users
  • Distributed COM users
Push install of Windows agent
  • Administrator share (ADMIN$)
  • Administrator share (ADMIN$)
  • Administrator share (ADMIN$)
  • Local administrator
Monitoring Windows devices using WMI
  • WMI namespace queries
  • Distributed COM users
  • Distributed COM users
Running scheduled tasks on Windows device
  • Script execution
  • Local administrator
Self healing
  • Service Control Manager
  • Service Control Manager
  • Local administrator
Local caching (Agent installer, patch) N/A
  • Local system

Probe credentials validation during installation

Error Message Text Install Step
The supplied network credentials are invalid. Verify the information and try again. Log on with domain/username password to the local computer.
For the software to function properly, the specified account must have local administrator rights. Check if credentials for local administrator account.
Failed to read the SeServiceLogonRight privilege from the domain name. Check if the credentials allow log on as service.
The probe will not be able to successfully discover Windows devices. WMI call to the domain controller with the provided credentials.
The specified account does not have the "Logon as Service" privilege. The installer will automatically grant it. Grants log on as service privilege.

During Probe setup WMI call to domain controller fails, however Probe can perform WMI monitoring with domain user account.