1 of 1 people found this helpful
I don't understand what you mean with point 1, but point 2: Make sure that the system that you are imaging is also available in HII. Map at least 1 driver to this specific hardware else the job will fail.
When you go boot into the Provisioning menu, you are prompted for a domain, username and password if the machine did not fall into a provisioning task automatically. I was wondering if you can use those provided credentials. So if one of our 10 workstation installers runs a public provisioning task, I use then credentials to add the machine to the domain in his/her name.
you would likely have to dig around and/or ask support for a FULL list of environment variables in order to answer this question. What you are looking for is an environment variable for WINPE which contains the credentials used to load the provisioning template. Based on my experience I have not seen any evidence that such a value actually exists. This could be a dead end for you.
I might make a suggestion, however, based on how you might answer the following question:
"do you really need to use the same supplied credentials for the purposes of adding a machine to the domain?"
I can't tell you your business, but in my environment I've never needed to know who added what machines to the domain, and frankly I have no idea how I would go about finding it. In the even that it isn't important, or you want to limit your 10 users in some way, it IS possible to have those administrators add machines to the domain using provisioning without actually having to have DOMAIN ADMIN credentials. You have already stated that your users can authenticate themselves and gain access to PUBLIC provisioning templates. It would be possible for your provisioning template to utilize one set of DOMAIN ADMIN credentials without you having to supply those credentials to your users.
We have a single domain admin account setup for Landesk and all of our provisioning tasks use that set of credentials. We have two PUBLIC VARIABLES that we use to plug the credentials into PROVISIONING, one for %lduser% and one for %ldpass%. The latter varible is setup as SENSITIVE DATA so the actual password is ***'d out where nobody can see it. Theoretically I could grant access for PUBLIC provisioning templates to one or more lay-users and they could perform a host of administrative tasks using provisioning but in this way they would only be able to do what I allowed them in provisioning; they would not be able to somehow extend their reach beyond provisioning and do damage elsewhere.
-i'm not sure if this helps, but good luck in any event.
Thanks for the response, Aspen Skier
We have a much more locked down environment. No domain admin account is used with Landesk at all in our environment. Our workstation installer have rights to create objects only in specific OUs.
You can easily tell who added a machine to the domain by checking the Creator/Owner of the object. Our security regularly monitor who creates objects. Just trying to see if we can efficiently work within those imposed rules.
I will give the forum route a couple of days opening a case with Landesk. :-) I always have the option of creating a task for each installer instead if this is a dead end.