9 Replies Latest reply on Feb 8, 2011 1:16 PM by irishmn76

    Using another account for software distribution(non-local-system)

    Rookie

      Hi. I am currently on LDMS 9 SP2, on a 45 day trial. I see for Software Distribution, the only options permissions-wise are local system account and currently logged in user. Is there a technical reason for not allowing us to use a specified account here?

       

      Patiently Awaiting Answer,

       

      Nathan

        • 1. Re: Using another account for software distribution(non-local-system)
          Rookie

          Interestingly, the Scan and repair Settings(MSI Information), allows for entering alternate credentials. This is what I'm referring to. Thanks alot.

          • 2. Re: Using another account for software distribution(non-local-system)
            zman Master

            Why would you want to use alternative credentials for software distribution? Are you having problems with a particular application?

            • 3. Re: Using another account for software distribution(non-local-system)
              Rookie

              I was able to get on the phone with OS Support and they answered my question. In working with Configuration Manager and Altiris(and even KACE) in the past... Normally you have access to enter alternate credentials into (a RUNAS, of sorts). Such as a domain administrator, or some other designated service account/workstation administrator for software installations. I was surprised to not see this in LDMS9. Support then explained (and referenced some documents for further reading), regarding how to succesfully use the Local System Account to run software deployments/batch files, etc. In some environments, i am not sure that using local system would be a viable option, since you have to grant the "Computer Accounts" group R/W access to the pertinent shares on the server. Any thoughts on this anyone? Any ideas if this is going to be developed into the next release/version?

              • 4. Re: Using another account for software distribution(non-local-system)
                Rookie

                It's actually more of a curiosity question, since every systems management product I have ever worked included this option. Not a particular issue or problem with a specific application, yet.

                • 5. Re: Using another account for software distribution(non-local-system)
                  zman Master

                  Understood. We have an Enhancement Request section if you would like to post an enhancement for future releases. There is one already but it is not getting a lot of votes http://community.landesk.com/support/ideas/2018. I think I asked once and was told it would be some sort of security risk. I've come across very little applications that would not install as the local system account.  Also, I'm not sure this still exists in 9.0 but in other versions if you selected run from source and used preferred server, it would use your preferred server credentials.

                  • 6. Re: Using another account for software distribution(non-local-system)
                    Rookie

                    I appreciate your response. It seems the link you sent me is restricted, as I can't view it. I am still on a 45 day trial with 9.0 SP2, maybe that's why. I will look into your suggestion, though.

                    • 7. Re: Using another account for software distribution(non-local-system)
                      Apprentice

                      I've only had a couple instances where this was a problem, and most were solvable with some...finangeling.  For instance, you can write a script that you can pass credentials to in the command line, and have the script do a runas.  Assuming your primary concern was giving everything access to a network share, you could grant a service account access.  If credentials were ever compromised, it wouldn't be a big deal, but it provides more security than giving everyone access.

                       

                      LANDesk is a great tool.  I've found very few things that I couldn't do with LANDesk, but with great power comes great work.  I found a lot of other products do more hand holding.  LANDesk on the other hand can often be more of a blank canvas.  They give you everything you need to get your job done, and do it well, but you have to put it all together.  While some suites give you one way to do something, it's not unusual to be able to come up with 2-5 valid, but completely different ways to do a task in LANDesk.  For instance, you can deploy software using Software Distribution, Patching, Provisioning, or Scripts.  Pick one and then you have even more options on how to do things.  It can be intimidating at first, but it's pretty slick how they run things in the background.

                      • 9. Re: Using another account for software distribution(non-local-system)
                        irishmn76 SupportEmployee

                        If you have a network share that we need to access to download or stream in the install from, put it in the perferred servers list.  That way when it goes to authenticate against that share it will use the correct credentials and not use local system.  That's how LANDesk gets around the issues of making domain computers or everyone have rights to shares on the network.  Leveraging preferred servers and installing as local system should give you the majority of the things you need.  If there still a problem and you need to install as some defined user, say for access to HKCU, install as a patch as we have exposed the runas option there in the scan and repair settings.

                         

                        Hope that helps.