Share via

Create a dedicated Movere account

  • Article

This article describes how to create a dedicated service account for scanning in Movere.

  • To scan Windows devices, you need an account that has sufficient permissions on the device where you install the console as well as the device that you are trying scan also known as Target device. This account needs Local Admin access on the devices.
  • One way to handle this requirement, without making changes to customer environments, is to use an account in the Active Directory Domain Admins group (Local Admin access is assigned to this account by default).
  • However, Movere doesn't allow the propagation of Domain Admin privileges to collect SQL Server data. This means that although a Domain Admin account can be used to scan Windows devices, it can't be used by the Movere bots when collecting SQL Server data.

To satisfy all requirements, we recommend that you create a dedicated service account for Movere.

Create a Movere service account

Create an account. We recommend that you use a strong password that doesn't expire.

  1. In Active Directory Users and Computers, right-click Managed Services Accounts > New > User.

  2. Specify the user details and click Next.

  3. Specify and confirm the account password. Then click Next > Finish.

  4. Now proceed with creating a new security group object.

    Create service account

Create a new security group object

Create a new security group for the Movere account.

  1. In Active Directory Users and Computers, open the Users tab.

  2. Click Action > New > Group.

  3. In Group name, specify a name for the group (AdminLocal in our example) and add a description.

  4. In Group scope, specify the scope you want to assign to the group, depending on the location of Windows devices you want to scan. We recommend using Domain local, so that the group is visible in its own domain, and can control resources in that domain only.

  5. In Group type, click Security. Then click OK to save the group.

  6. Now proceed with assigning a group policy to the security group created.

    Create security group

Assign a group policy to the security group

The group policy you assign to the security group depends on your organization. For example, you might have a single default domain policy, or device-specific policies. We'll assign the Default Domain Policy to the group.

  1. In the Group Policy Management console > Domains, navigate to the relevant domain, and click Default Domain Policy.
  2. In Computer Configuration > Preferences > Control Panel Settings, right click on Local Users and Groups > Local Group > New.

New group policy

  1. In New Local Group Properties, select Adminstrators (built-in).
  2. Click Add, and add the account you created to the group.

Note

If custom group policies for administrators are used in your organization, then please ensure that the user rights assignment does not have "Deny Log on Locally" enabled for this account. 5. After adding, you should see an account marked Update, in Local Users and Groups.

Update group policy

  1. To test group policy without waiting for replication or reboot, force an update from the command prompt with gpupdate /force.

    • This only impacts the device on which the command runs.
    • To update all Windows devices in the relevant domain, wait at least two hours for the group policy change to propagate.

After the update, you should be able to scan Windows devices in the relevant domain, using the new Movere service account.

Use Movere Service account to Scan SQL Server

Optionally, the same account that you created in the prior steps to inventory Windows devices can also be used to scan SQL Server data. In order to achieve this, the organisations need to add this account in the SQL Server administrator group. For a full list of permissions required to scan SQL Server Learn More

Next steps

Learn about scanning in Movere.