It is recommended that you create a dedicated Windows user account with Administrator rights (such as "qualys_account") to be used solely by the scanning engine for authentication purposes. We provide instructions showing how to setup a domain account for authentication and how to add this account to the Domain Administrators group. If possible, configure the user account so that the password does not expire.
An account with Administrator rights allows the scanning engine to collect information based on:
• Registry keys
• Administrative file shares (such as C$)
• Running services
Using an account with Administrator rights is recommended best practice for vulnerability scans. It's possible to use an account with less than Administrator rights, however this limits scanning to fewer vulnerability checks and scans will return less accurate, less complete results.
Using an account with Administrator rights is required for compliance scans. Using an account with less than Administrator rights, scans fail and do not return compliance data.
The service does support trust relationships in Windows domain logins. In other words, you can use credentials stored on one domain to authenticate to one or more hosts stored on another domain when trust relationships are present. This is done by the scan targets automatically, using pass-through authentication.