4 Replies Latest reply on Feb 25, 2011 8:46 AM by SteveW

    Provision question(s)

    Apprentice

      Just starting to get into Provisioning and I had a few questions. This is in Landesk 9.0 SP2 if it matters.

       

      1. If someone logs into the provisioning pxe menu, can you use the domain/username/password in variables in your provisioning task?

      2. Is there some trick to getting HII to kick off.  It doesn't appear to matter where I place it in the Post-OS installation section, it fails every time and rather quickly. Last error code was internal status -2147477501 external status 0.  It is set to auto detect and I have tried with the use unc checked and unchecked.

       

      Thanks for any help or ideas,

      Steve

        • 1. Re: Provision question(s)
          Apprentice

          I don't understand what you mean with point 1, but point 2: Make sure that the system that you are imaging is also available in HII. Map at least 1 driver to this specific hardware else the job will fail.

           

          Jan

          1 of 1 people found this helpful
          • 2. Re: Provision question(s)
            Apprentice

            When you go boot into the Provisioning menu, you are prompted for a domain, username and password if the machine did not fall into a provisioning task automatically.  I was wondering if you can use those provided credentials.  So if one of our 10 workstation installers runs a public provisioning task, I use then credentials to add the machine to the domain in his/her name.

             

            Steve

            • 3. Re: Provision question(s)
              Specialist

              you would likely have to dig around and/or ask support for a FULL list of environment variables in order to answer this question.  What you are looking for is an environment variable for WINPE which contains the credentials used to load the provisioning template.  Based on my experience I have not seen any evidence that such a value actually exists.  This could be a dead end for you.

               

               

              I might make a suggestion, however, based on how you might answer the following question:

               

              "do you really need to use the same supplied credentials for the purposes of adding a machine to the domain?"

               

              I can't tell you your business, but in my environment I've never needed to know who added what machines to the domain, and frankly I have no idea how I would go about finding it.  In the even that it isn't important, or you want to limit your 10 users in some way, it IS possible to have those administrators add machines to the domain using provisioning without actually having to have DOMAIN ADMIN credentials.  You have already stated that your users can authenticate themselves and gain access to PUBLIC provisioning templates.  It would be possible for your provisioning template to utilize one set of DOMAIN ADMIN credentials without you having to supply those credentials to your users.

               

              We have a single domain admin account setup for Landesk and all of our provisioning tasks use that set of credentials.  We have two PUBLIC VARIABLES that we use to plug the credentials into PROVISIONING, one for %lduser% and one for %ldpass%.  The latter varible is setup as SENSITIVE DATA so the actual password is ***'d out where nobody can see it.  Theoretically I could grant access for PUBLIC provisioning templates to one or more lay-users and they could perform a host of administrative tasks using provisioning but in this way they would only be able to do what I allowed them in provisioning; they would not be able to somehow extend their reach beyond provisioning and do damage elsewhere.

               

              -i'm not sure if this helps, but good luck in any event.

              • 4. Re: Provision question(s)
                Apprentice

                Thanks for the response, Aspen Skier

                 

                We have a much more locked down environment.  No domain admin account is used with Landesk at all in our environment.  Our workstation installer have rights to create objects only in specific OUs.

                 

                You can easily tell who added a machine to the domain by checking the Creator/Owner of the object.   Our security regularly monitor who creates objects.  Just trying to see if we can efficiently work within those imposed rules.

                 

                I will give the forum route a couple of days opening a case with Landesk. :-)  I always have the option of creating a task for each installer instead if this is a dead end.

                Steve