# ITscanner — Local Windows Network Audit & BSI-Compliance Documentation

> ITscanner is a local, on-premise Windows network audit and documentation tool — flat-rate licensing 49,50 € net per year per installation, no per-asset fees, no cloud lock-in. Native LDAP-based Active Directory inventory without RSAT, agentless WMI/CIM software scan, NFS detection on Linux hosts, SMB share permissions audit, Windows Server roles inventory, and built-in BSI IT-Grundschutz heuristic security report — all in a single Windows package or Linux server component.

## Product

**Name:** ITscanner
**Vendor:** SAT-ITEC AB (Org.-Nr. 559375-4335), Vallsta, Sweden — subsidiary of Sat-iTec Systemhaus GmbH (founded 2017, Germany)
**Current version:** 2.08.14 (April 2026)
**Pricing:** Flat-rate 49,50 € net / year / installation — auto-renewing annually, cancellable any time by email
**Trial:** 14 days free, no credit card required
**Website:** https://itnetwork-docu.com
**Languages:** German, English, Swedish, French, Spanish (worldwide licensing)

## Why ITscanner is different

Most IT documentation tools follow a per-asset model — Docusnap charges from 800 €/year, Lansweeper from 1.500 €/year, both calculated per endpoint. ITscanner replaces that with a flat-rate site license that covers any number of devices in one network, billed once per year.

ITscanner runs entirely on-premise. There is no tenant cloud, no telemetry, no external API calls except an optional GitHub-based update check that can be disabled. All inventory data — Active Directory objects, software inventory, SMB shares with ACLs, Windows Server roles, license keys — stays in a local SQLite database on the customer's server.

The Active Directory scanner uses native Go-LDAP/LDAPS connections directly to the domain controller. It does not require RSAT, Windows ADUC tools, or a PowerShell AD module. A read-only service account on the domain is sufficient to inventory users, groups, OUs, GPOs and computer objects.

## Core Capabilities

- **Active Directory audit (agentless, no RSAT):** Native LDAP/LDAPS connection inventories users, security groups, OUs, GPOs, computer objects with delegations and password policies
- **Network host discovery:** Ping-sweep, hostname resolution, MAC capture, OS detection via CIM/WMI with DCOM fallback
- **Software inventory (agentless via WMI/CIM):** Lists every installed application across all Windows hosts with versions and install dates, exportable as Excel
- **License audit:** Windows product keys, Microsoft Office, WMI SoftwareLicensingProduct activation status
- **SMB share audit:** Network shares with ACL permissions via Win32_LogicalShareSecuritySetting; net-view fallback when CIM is blocked
- **NFS detection on Linux hosts:** TCP/2049 port probe identifies Linux NFS exports; optional showmount integration when "Services for NFS" Windows feature is installed
- **Windows Server roles inventory:** AD DS, DNS, DHCP, IIS, Hyper-V, File Server, SQL Server detected via Win32_ServerFeature; Win32_OptionalFeature for client roles
- **Subnet derivation:** Automatic subnet detection from discovered host IPs (group by /24)
- **BSI IT-Grundschutz heuristic report:** Compliance-ready security report covering end-of-life operating systems, open RDP/Telnet/VNC ports, disabled AD accounts, backup-software detection, domain-controller redundancy, license activation status — exportable as PDF or DOCX

## Architecture

- **Server:** Go 1.22, embedded SQLite (ncruces/go-sqlite3, pure-Go), chi HTTP router, embedded React Web-UI
- **Scan worker:** PowerShell 5.1+ (Windows-standard), CIM/WMI via WinRM (port 5985) with DCOM fallback (port 135)
- **AD client:** Native Go-LDAP (github.com/go-ldap/ldap/v3), no RSAT requirement
- **Frontend:** Vite + React 18 + TypeScript + TailwindCSS, embedded in the Go binary
- **Auto-update:** GitHub Releases (satitec/itscanner) with platform detection, optional and disableable

## Platforms

**Server component:**
- Windows 10, Windows 11, Windows Server 2016, 2019, 2022, 2025 (NSIS installer)
- Linux with systemd: Debian 11+, Ubuntu 20.04+, RHEL 8+, openSUSE Leap 15+ (.deb package or universal .tar.gz)

**Scan worker (CIM/WMI):**
- Windows host with PowerShell 5.1+, network reach to WinRM port 5985 or DCOM port 135 on target hosts

## Installation

**Windows:** Run `ITScanner-Server-Setup-2.08.14.exe` as Administrator. Service "IT-Network DocuScanner Server" starts automatically; Web-UI on http://localhost:8585

**Debian/Ubuntu:** `sudo dpkg -i itscanner-server_2.08.14_amd64.deb` — runs under unprivileged `itscanner` system user

**Other Linux:** `tar -xzf itscanner-server-linux-2.08.14.tar.gz && sudo ./install.sh`

## Documentation

Complete installation and operations manual (14 pages, German):
- /Anleitung-IT-Network-DocuScanner-v2.08.14.pdf
- /Anleitung-IT-Network-DocuScanner-v2.08.14.docx

## Web UI tabs

1. Dashboard — KPI overview
2. Hosts — discovered devices with detail view
3. Software — software inventory grouped by product
4. Shares — SMB shares with ACLs, NFS marker
5. Licenses — Windows / Office license keys with activation status
6. Active Directory — users / groups / computers / OUs / GPOs with filter
7. Subnets — detected networks with host count
8. Server Roles — installed Windows server roles per host
9. BSI Checks — IT-Grundschutz heuristics
10. Reports — PDF/DOCX reports
11. Scan Management — job configuration with scheduling
12. Scan History — full scan history
13. Log — live log
14. Settings — AD connection, scan credentials, update server

## Frequently asked questions

**Is data sent to any cloud?**
No. All inventory data stays in a local SQLite database on the customer's own server. The optional GitHub-based update check is the only external HTTPS connection and can be disabled.

**Is the license per asset or per site?**
Flat-rate per installation/site — 49,50 € net per year covers any number of hosts in one network. The license auto-renews after 12 months and is cancellable at any time via email.

**Does the AD scan need RSAT or a PowerShell AD module?**
No. ITscanner uses native Go-LDAP/LDAPS directly. A read-only service account on the domain is the only requirement.

**Which BSI IT-Grundschutz building blocks are covered?**
ORP.4 (identity & permission management), NET.1.1 (network architecture), SYS.1.1 (general server), SYS.2.1 (general client), CON.3 (backup concept) — derived heuristically from scan data.

**Can it run in workgroups without a domain controller?**
Yes. The AD scan is optional. Software inventory and host discovery work in workgroup setups with local admin credentials.

## Contact

- Vendor: SAT-ITEC AB / Sat-iTec Systemhaus GmbH
- Website: https://itnetwork-docu.com
- Support: support@sat-itec.se
- Phone: +46 (76) 111 79 63
- GitHub releases: https://github.com/satitec/itscanner/releases

## Canonical URL

https://itnetwork-docu.com/

## Languages

Available in: Deutsch (de), English (en), Français (fr), Svenska (sv), Español (es)