In order to push out the Altiris NS Agent via the Altiris Install option, we must have 3 things available to us, the account used to push the Altiris Agent (usually the application identity account, though this can be overridden) must have the following security rights
- Write access to the machines ADMIN$
- Therefore, administrative shares cannot be disabled or else our push technology will not work
- Part of the local administrators group
- This is to allow us to spawn the process to install the software.
- WMI Management enabled on the machine
- This is how we spawn the actual process to perform the agent installation.
While it is possible to make the Altiris application identity account, a domain admin. This is not recommended from a security perspective. As domain admins, have more rights then just administrative rights for the computers in the domain. Also with using restricted groups, you can limited the scope to which machines, something that you cannot do with a domain admin account. Remember, this is only for installation. After installation if performed, from Altiris, we actually don’t need any rights, as the Symantec Management Agent, runs in the SYSTEM context.
This is also the only other way, minus login scripts, to push out the Altiris Agent, when there is multiple domains.
Steps:
- Open up “Active Directory Users and Computers”
- Create a “Domain Local” Security Group. For our example, we will create the group “Local Workstation Administrators”
- Add the Altiris NS Service Account to the group created in step 2.
- Close out of “Active Directory Users and Comptuers”
- Open up “Group Policy Management”
- On the OU you would like apply the Altiris application identity into the local administrators group, right click and choose “ Create a GPO in this domain, and link it here”
7. Then Name the policy
8. Now, right click on the Policy and Choose “Edit”, the following screen should come up.
9. Expand Computer ConfigurationàPoliciesàWindows SettingsàSecurity Settings and Click on Restricted Groups.
10. Right Click on Restricted Groups and Click add Group.
11. Name this group the same as the group you created in step 2.
12. Click OK, This will then bring up the following screen,
13. Since we want to append our group to the local administrators group, not overwrite everything in the local adminstrators group, we want to click the “Add” button next to “This group is a member of:”
14. In the box that is brought up, type in “Administrators”, as is shown below
15. Click Ok, Ok, then close out of “Group Policy Management”.
16. Now on a workstation that is under that OU, open a cmd prompt and run gpupdate/force to apply the settings (By default this will happen in 15 minutes or so, depending on your active directory setup).
Before:
After:
17. You are now finished. The “Local Workstation Administrators” Group has been added to the local group, “Administrators”
Agent Push Troubleshooting
Verify the security rights,
- From the NS Server, logged in as the Application identity, click on Run. Type in \\workstationname\admin$. If you get anything but the showing of the files in the remote computers Windows directory, then you do not have sufficient rights
- From the NS Server, logged in as the Application identity, Open up computer management. From computer management, right click and choose “Connect to another computer”. Type in the name of the workstation you are attempting to push the Altiris Agent to. Once it connects, see if you can view Local Users and Groups. If not, you do not have administrators Rights
Check Installation files
- Under C:\Windows check to see there is a file called AeXNSCInstSvc.msi. This is the installation file. If it was not copied down, check (Verify the Security Options, #1)
- Check the installation log file, AeXSWDInstSVC.log