Liongard Ideas Portal

Submit and upvote ideas to make Liongard better. You have unlimited votes and can vote on each idea one time. 🙂

The Product Team is constantly reading your ideas and while we can’t promise that all ideas will become a reality, we value your feedback and promise to always have our Partners in mind when building and improving Liongard.

Check out our FAQs to learn more.

See what we've shipped by clicking here!

🗣️ We’re planning our roadmap and want to know what’s important to you!

Take our short survey now.

Least privileges for liongard agent

Based on the documentation, the agent requires a user with domain admin permissions (

Best practice is to deploy user accounts with least privileges possible.

Is Liongard able to articulate what permissions are required so a domain admin is no longer required?

  • Guest
  • Sep 2 2020
  • Shipped
Last Reviewed Date 2021-03-19
  • Attach files
  • David Markley commented
    1 Dec, 2021 11:18pm

    Maybe I'm checking too early, but the email alerts worked well...

    Can someone from Liongard comment or explain where the above requested information is and how this is Shipped status? I just checked docs and it still shows Domain Admins as suggested setup, and still mentions needing to finish updating the documentation on this page:

    • Assign the account the appropriate permissions for the inspectors you wish to run. We recommend adding the account to the domain administrators group. Liongard is currently working on documentation to scope this account down to the least necessary privileges, and it will be posted here when complete.

  • Greg Smith commented
    9 Aug, 2021 09:24pm

    All we want is visibility into the domain, so I'm sure this can be limited in scope. I know the documentation says that Liongard is working on it, but the docs have said that for years now. We can try to scope it down ourselves, but it would be nice to have more information on what the agent is doing and what it needs to accomplish its tasks.

    The "take privileges away until it breaks" game is not fun and always leaves us wondering what we missed or if anything is going to break in the future. I know this is a typical vendor problem and not exclusive to Liongard, but security is now at the forfront of our clients' minds not just our's, so shoring up these accounts is imperitive.

  • David Markley commented
    9 Aug, 2021 08:50pm

    This is unacceptable now; we must understand what's truly required from a privilege standpoint.

    Other security and monitoring tools are able to articulate from a WMI or AD privilege standpoint what is required. But it should be read-only access and a method that should work with AD.

  • Adam Evans commented
    13 Apr, 2021 05:37pm

    This! With evolving threats out there using privelage escalations and credential thefts the Liongard AD account with Domain admin could easily be used to crypto an entire org - even on devices such as workstations which Liongard doesn't even inspect.

    With compliance obligations, evolution within the security ecosystem, etc this should be a no brainer.