Symantec Management Platform (Notification Server)

Hey team,

We're testing out some new software deployment scripts in NS7 are we're having some trouble with permissions.

Basically, I've got a manged policy that executes a PowerShell script that lives on a UNC share in our domain.

If I run the policy with one of our domain accounts, it works no problem.

However, I would like the managed policy to run with the symantec management agent credentials (so we don't have to specify credentials for each policy).

This means that it's running as the Local System account.

The problem is, we get an error whenever the policy tries to run the script.

I can see in the event viewer on the client machine that when the policy runs, the domain\computer$ account launches PowerShell (as it should) but then fails. If I output the errors to a text file, i get the following:

The term '\\domain\smp\test.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Fair enough, this is PowerShell's way of saying that it doesn't have permission to access that share. This makes sense, as the local system account doesn't have access to the network by default.

So I go to the folder on that share, say \\DOMAIN\SMP\ and give the computer account I'm testing on (DOMAIN\COMPUTERNAME$) explicit access to it. It doesn't work.

OK, I give the Everyone group full access to the share. Still doesn't work.

Last resort, I give the Anonymous group full access to the share. Still doesn't work!

I've seen people in other departments do the exact same thing we are trying to do. I assume I'm just missing somethere here. Does anyone have any suggestions?

Any help would be very much appreciated!

Cheers
Rhys

Suggestion - why not ask the people in the other departments how they are doing it? Got to be the simplest way to get a solution that definitely works in your environment.

Null session shares / pipes are one method of allowing anonymous access to server shares - along with the security issues this can create. Depending on what server software you use, this could also be an option.

with the machine account. Since the request is being intiated by the SMP, did you try adding the SMP computer account to the share?

Thanks for the replies.

Yeah I've been in contact with the other department, and they just added the standard 'Domain Computers' security group to the the folder to get it to work.

I've tried that, along with the explicit computer account, everyone and anonymous as above.

So there's something funny going on here.. maybe to do with other group policy settings..

Jim - I added the machine account for the NS server to the folder permissions too, but still no dice.

As a side note, I have no problem running scripts as system from the SYSVOL on the AD servers. Just anything inside the DFS share is where I run in to problems.