3 Replies Latest reply on May 9, 2016 7:34 AM by NickCK

    LANDesk service account requirements

    davidberino Apprentice

      Hello,

       

      Apologies in advance if this has been touched on, but is there any reason why a service account (used for COM services, scheduler and replication) needs to be a Domain Admin in AD? Can it get away with direct RO/RW permissions to Preferred Servers in replication? Just need a little clarification on this.

       

      Much appreciated,

      David

        • 1. Re: LANDesk service account requirements
          SupportEmployee

          Hi,

           

          It is not a must to have a Domain Admin account in the COM+, but you will need an account, that has sufficient access on AD with READ access to the Active directory structure.The user should be able to enumerate the AD structure from the root level.

          (NOTE: Although an account with read access is sufficient in most cases, differences in AD configurations and restrictions in different environments may require a Domain Administrator or Service account to be used in order for AD access to work properly.)

           

          The password in the COM+ object identity is not sent in clear text. It never sends the password anywhere. It is only used to query the AD, so the only traffic would be between the server and the domain controller, and that uses standard Microsoft methods for accessing the AD structure.

           

          KH.

          • 2. Re: LANDesk service account requirements
            davidberino Apprentice

            A fantastic answer and a good reference for all those implementing LANDesk to their environment.

             

            Support provided a reference article here for anyone else interested in this:

            https://community.landesk.com/docs/DOC-39459

            • 3. Re: LANDesk service account requirements
              Rookie

              Just to support this answer, we've been using 9.6 SP2 for quite some time without domain admin credentials. The only real downside we've seen is not being able to deploy an agent using unmanaged device discovery. Not really an issue since we have the RPC ports closed on the local firewall anyway.