PowerRecon Best Practices for User Accounts

This article discusses the best practices for setting up a user account with Administrator privileges to allow PowerRecon to monitor servers on the network.

PowerRecon requires administrator access in order to monitor a server.  Rather than using an existing administrator level account, it is best to define a new account in a new organizational unit.  This allows the network administrator to tailor this account for proper use on the network, i.e. specify a security policy that provides the account with only the access it needs and no more as well as giving it access to only those computers which need to be monitored.

The following steps will create a PlateSpin organizational unit (platespin-monitoring), a global PlateSpin group (admin-power-recon) and a power recon user (power.recon):

1.       Open the Active Directory Users and Groups window on the Domain Controller.

2.       Create a Platespin Organizational Unit directly under the main domain entry.

a.       Right Click on the domain name.

b.       Select New and Organizational Unit.

c.       Input the name platespin-monitoring

3.       Under the platespin-monitoring organizational unit, create a global group called admin-power-recon

a.       Right click on the organizational unit platespin-monitoring.

b.       Select New and Group.

c.       Input the name admin-power-recon

d.       Ensure the group scope is Global and the group type is Security.

4.       Create a new user called power.recon

a.       Right click on the platespin-monitoring organizational unit.

b.       Select New and User.

c.       Input the user information.  Set the user logon name to power.recon.

d.       Press Next.

e.       Input the password to use.

f.        Ensure user must change password at next logon is not selected

g.       Ensure password never expires is selected.

h.       Press next and then finished.

5.       Add power.recon user to the admin-power-recon group.

a.       Right click on the admin-power-recon group and select properties.

b.       In the Members Tab, press the Add button.

c.       Type in the name of the user to add, i.e. power.recon.

d.       Press Check Name to validate the name.

e.       If the name validates, press okay.

Use one of the following techniques to give the power.recon user administrator access to the computers on the network:

1)    Add the power.recon user to the administrators group for each computer to be monitored:

a.       Obtain access to the computers in question’s Computer Management screen, either by directly logging onto the computer or by using the domain controllers, Active Directory Users and Computers window.

b.       Select System Tools, Local Users and Groups, and finally Groups.

c.       Right click on the Administrators Group and select properties.

d.       Press the Add button.

e.       Type in admin-power-recon and press Check Names.

f.        If the name validates, press okay

2)    Make the power.recon user a member of the Domain Admins group:

a.       From the Active Directory Users and Groups windows on the Domain Controller, navigate to the power.recon user in the platespin-monitoring Organizational Unit.

b.       Right click on power.recon and select properties.

c.       Click on the Members Of tab and press Add.

d.       Input Domain Admins and press the Check Names button.

e.       If the name verifies, press okay.

Using the first solution allows the network administrator to define which computers are to be accessible to the power recon application.  Moreover it provides the network administrators with the ability to set a security policy for the platespin-monitoring organizational unit allowing them to define what the users can and cannot do.  For large networks it has the drawback of having to configure the local administrators group for each computer individually.