Windows NT Domains
Click here to view navigation pane

Windows NT Domains

When NT domains are used, you may use one of these options to create a Windows account to be used for host authentication (trusted scanning).

Option 1 - Using an Administrator Group

1) Log into the Domain Controller with an account that has administrator rights.

2) Create a new user account called "qualys_account".

3) Make the "qualys_account" a member of the Global group called "Domain Admins".

4) In the "Member of" section of the group properties, keep only the group "Domain Admins" and remove any other groups. The Global group "Domain Admins" should be used for access to remote systems as this group is automatically added to the "Administrators" Local group on each system when it becomes a member of the Windows NT domain.

5) Make the required group policy settings. Learn more

Option 2 - Set ACL Remotely Using SetACL Command-Line Tool

1) Log into the Domain Controller with an account that has administrator rights.

2) Create a new Global group called "qualys_scanners". In the group properties, be sure that there are no members of the group.

3) Create a new user account called "qualys_account" and put it in the "qualys_scanners" group. In the "Member of" section of the account properties, keep only the "Administrators" group and remove any other entries.

4) Get the SetACL tool, if you don't already have it, from http://helgeklein.com/

5) At the command line, run SetACL to set the remote access registry key on a target host. Show meShow me

setacl on "\\NETBIOS_NAME\MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg" -ot reg -actn ace -ace "n:DOMAIN\GROUPNAME;p:read;m:grant;w:dacl;i:np"

where GROUPNAME is the "qualys_scanners" group (the Global group you created)

6) Make the required group policy settings. Learn more

Still have questions?

Using Active Directory?Using Active Directory?

In some environments with Windows Active Directory domains and workstations running different versions of Windows, this method may be used to set registry keys remotely on certain workstations. In this case if you set a domain-wide policy, as described in option 1, registry keys are set for Windows 2000/2003/XP workstations only. For workstations running earlier versions of Windows, use the SetACL tool to change registry keys on these systems.