10 Replies Latest reply on Mar 8, 2013 3:46 PM by Frank Wils

    Provisioining rights


      Is it possible to allow someone to launch a template by launching ldprovision.exe, but not allow them to schedule a template from the console?  We want to restrict who has the ability to accidentally reimage all PC's in our domain

        • 1. Re: Provisioining rights

          What about creating scopes?

          • 2. Re: Provisioining rights
            Frank Wils ITSMMVPGroup

            Creating scopes will both limit the devices that can be provisioned through tasks and through the WinPE Provisioning so that won't help you to much. You might consider creating a special provisioning user that you can use for WinPE provisioning only and restrict access to Provisioning to the other users.


            But do consider, if you have system administrators that you don't trust to do their job right, Provisioning is not the only thing that can harm all devices in your network



            1 of 1 people found this helpful
            • 3. Re: Provisioining rights
              JeremyG Apprentice

              I have had this same concern.    If i had a good solution, I would file an enhancement reuqest.    The only decent solution I've had is a trick broughnt up at Interchange one year:


              Add a SQL trigger so that when inventory from an unmanaged device comes in from the WinPE boot disk, that it is added to a special scope.


              I will try to locate my documentation on this procedure when I have some time.

              • 4. Re: Provisioining rights
                bnelson Employee

                So your initial question was can somebody launch provisioning but not have control over scheduling the templates. right? The quick and dirty answer is yes. If your template starts in the Pre OS Installation pass of the template then it will wait for the device to PXE boot before it launches. That means you or another trusted admin can do the scheduling and allow the other support to reboot the machine into PXE.

                • 5. Re: Provisioining rights

                  @ Jeremy


                  Yes, please - I would like to see that documentation!  However, adding it to a special scope, still does not get me around the issue of having to grant all tech's the Provisioning Role, which allows them to get in the console and schedule jobs.  I actually did create a special scope for devices with only a mini-scan and added that to our tech's rights.

                  • 6. Re: Provisioining rights

                    @ bnelson


                    That would technically work, but our environment handles multiple reimages a day and we don't want to have to have a LANDesk admin schedule a reimage every time one is needed.  Even with a competent admin doing this, the wrong device, or even worse - a query, might get scheduled and started.

                    • 7. Re: Provisioining rights
                      Frank Wils ITSMMVPGroup

                      You are right. When launching provisioning in WinPE you actually 'schedule' a task in the background. Although very interesting, scopes will restrict them in all their work.


                      You could make an Enhancement Request to limit rights in roles to specific scopes... So, 1 scope for software distri, another scope appointed to provisioning, etc.



                      • 8. Re: Provisioining rights
                        bnelson Employee

                        Have them manually PXE boot to WinPE managed and select the template that way.

                        • 9. Re: Provisioining rights

                          That just made me realize that I can create a custom Role.  What "Permission" grants access to the console?

                          • 10. Re: Provisioining rights
                            Frank Wils ITSMMVPGroup

                            None. Access to the Console is arranged by membership of the core's local LANDesk Managementsuite usergroup.