Remote Control - Understanding the User Accounts Involved in Remote Control

Version 2

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6

    Description

    More user accounts are involved in the Remote Control process than one would assume.  There is much more to secure authentication than just the user account used to log into the Web Console or 32 bit Console.  This article will explain these different users accounts.

     

    User accounts can be any account involved in the Remote Control Process.

     

    User Accounts Involved in Remote Control

    It is important to know what accounts are invovled and where they are involved.  It is particulary important to know what user account a process is running under, though, all accounts involved are important.

     

    The following user accounts may be involved when performing remote control:

     

    Viewer Side (ISSCNTR.EXE)

    • The user logged into the Operating System where the Remote Control Viewer is launched.
    • The user account entered when prompted.

     

    Agent Side (ISSUSER.EXE)

    • Local System (if running as a service as part of the agent)
    • The user logged into the agent workstion's Operating System (if running the on-demand agent from the Mangement Gateway)

     

    Core Server

    • The user in the LANDesk Management Suite group (used to log into the 32-bit console or the web console).
    • On the Core Server, the identity configured for the LANDesk1 COM+ Application.  By default this is an account local to the Core Server call LANDeskComPlus.

     

    Domain Controller (Optional)

    Any user accounts or groups that are created on the Domain Controller for use by LANDesk

    • (Optional) Groups, sub-gruops and users that may be added to the LANDesk Management Suite on the Core Server.
    • (Optional) A LANDesk Service account.

     

    Example of  a Working Design

    The following information describes an example of how these user accounts can all vary.

     

    Viewer Side (ISSCNTR.EXE)

    A user who is a Remote Control viewer may have their user account that is a member of Active Directory, but they may also have a user account that is local account on their workstation.

     

    Local Account: PC1\JDoe

    Domain Account: YourDomain\JDoe

     

    Logged into the Operating System: PC1\JDoe

    Logged into the Web Console or 32-bit Remote Console: YourDomain\JDoe

     

    In this situation, the ISSCNTR.EXE will launch under the user contect of PC1\JDoe.  Neither the web console or the 32-bit remote control will attempt to run ISSCNTR.EXE as the user that is logged into them, but instead, they allow the user logged into the local operating system to open ISSCNTR.EXE.

     

    When ISSCNTR.EXE connects to the Core Server, it only passes the credentials of the user under which the process is running.  In this case, the process is running as PC1\JDoe which is an account that only exists on the viewer's operating system and has not rights on any other machine.  This will cause the credentials to fail, and the Remote Control viewer will prompt for additional credentials.

     

    Agent Side (ISSUSER.EXE)

    LANDesk Agent is installed so the LANDesk Remote Control Service runs ISSUSER.EXE as the Local System account.

     

    Core Server

    The Core Server could have the following configuration:

     

    LANDesk1 COM+ Applcation Identity: YourDomain\LandeskServiceAccount

     

    Users in the LANDesk Management Suite Group

    Administrator (Local Core Server administrator)

    YourDomain\LandeskServiceAccount (Domain Service Account)

    YourDomain\LANDeskAdmins (Domain Group)

    YourDomain\JThomas

     

    The LANDesk Management Suite Group is populated using a domain group called LANDeskAdmins.  Because the LANDesk1 COM+ Application Identity is running as a domain account, these groups can be enumerated fine.

     

    If the LANDesk1 COM+ Application identity were running as the default local account, LANDeskComPlus, then domain group enumeration would fail because the LANDeskComPlus user local to the Core Server has no permission on the domain; however, because YourDomain\JThomas is directly added to the LANDesk Management Suite Group, his account would continue to function because no domain group enumeration is necessary to verify that this user is in the LANDesk Management Suite Group.

     

    Domain Controller

    The following could be an example group layout:

     

    YourDomain\LANDeskAdmins

    YourDomain\LANDeskRCUsers (Domain Group)

    YourDomain\MMichaels

    YourDomain\JThomas

     

    YourDomain\LANDeskRCUsers

    YourDomain\JDoe

     

    Because YourDomain\JDoe is in a group inside a group on the domain, special permission to enumerate groups on the domain is required.  A domain user must be used to enumerate groups on a domain.  The LANDesk1 COM+ Application Identity is used to enumerate groups on the Domain.

     

    Conclusion

    Because so many accounts are involved, it is important to understand what accounts are involved when an issue occurs so that these accounts can be verified if troubleshooting is necessary.