Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Are Domain Admin rights required to run Altiris Services

Created: 18 Apr 2014 | 5 comments

Hi  All,

1. In my environment Currently Altiris Services  in Notification Servers   are running with  dedicated AD ID (which is mentioned under Application Identity) Credentials. If we change it to “ Local System Account “ will it work or is it required for running services?

 

2. The  domain ID  which is  mentioned in  Application identity has the Domain Admin Rights .What  will be the impact if we remove Domain Admin Group membership for this ID and add same ID  in    “Local Administrator “  group in local systems  through  AD  Group Policy ?

 

4.Are the  Domain Admin group membership required for  ID which is used for running Altiris Services ?

 

My environment is mix like  Active Directory as well as Workgroup  computers .

Single  NS , 1 DB , 3 Task servers and 60 PS.

 

Please help.

Operating Systems:

Comments 5 CommentsJump to latest comment

SK's picture

The appid can be just a normal domain user as long as it has admin rights to its own server.

Dping so; however, will mean that other accounts will need to be used instead of the appid whenever admin rights on clients are needed.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

luke.s's picture

Hi vinayak patil,

By default the Altiris Services will run using the ApplicationId account defined during the installation. This is the recommended mode of operation. This account needs local administrator rights to the Notification Server.

Regards,

If the suggestion has helped to solve your problem, please mark the post as a solution.

Fábio Sanches
IT Technical Manager | WTR Services | www.wtrservices.com.br

vinayak patil's picture

Hi ,Thanks .

So do  you mean the ID mentioned under "Application ID " does not require Domain Admin Rights ?

If Yes how to  push  Agents remotely on domain systems ?

 

Regards

 

SK's picture

That is correct. The push page like other areas that require credentials allows you to specify an account that can perform the required action.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

JBroniec's picture

A few points on this:  

1.  Which ever account you're leveraging for the application service will be, by default, the account used to authenticate and install a client agent during agent push.     With that being said, you'll want to ensure:

       A.   The account has local administrator rights on the client you're pushing to.

       B.   The account has file level access to the folder repositories where your agents download from. 

2. If I want to use a different account to push the agents, (in cases where we don't have Active Directory, or our servers have multi-tenant security scopes which grant different specific accounts local admin access on the client) you can specify a different account in the Agent Push screen. 

3.  If you're watching the Altiris log viewer during agent installation, and you notice a warning message about not being able to validate a computers DNS entry prior to agent delivery, don't worry about that message.. it will deliver under IP enumeration just fine.