XCEND Tech Tips: Using Restricted Groups to Add the Altiris NS Service Account to Workstations Local Admin Group
September 24th, 2010
In order to push out the Altiris NS Agent via the Altiris Install option, the account used to push the Altiris Agent (usually the application identity account, though this can be overridden) must have the following security rights:
- Write access to the machines ADMIN$: Administrative shares cannot be disabled or else our push technology will not work.
- Part of the local administrators group: This is to allow us to spawn the process to install the software.
- WMI Management enabled on the machine: This is how we spawn the actual process to perform the agent installation.
While it is possible to make the Altiris application identity account a domain admin, this is not recommended from a security perspective, as domain admins have more than just administrative rights for the computers in the domain. With restricted groups, you can limited the scope to specific machines, something that you cannot do with a domain admin account. Remember, after an installation is performed, we actually don’t need any rights, as the Symantec Management Agent runs in the SYSTEM context.
The following procedure is the only way, outside of login scripts, to push out the Altiris Agent when there are multiple domains.
- Open up “Active Directory Users and Computers.”
- Create a “Domain Local” Security Group. For our example, we will create the group “Local Workstation Administrators.”
- Add the Altiris NS Service Account to the group created in step 2.
- Close out of “Active Directory Users and Computers.”
- Open up “Group Policy Management.”
- On the OU you would like apply the Altiris application identity into the local administrators group, right click and choose “Create a GPO in this domain, and link it here.”
7. Next, name the policy.
8. Right click on the Policy and Choose “Edit” to open the following screen:
9. Expand Computer Configuration/Policies/Windows Settings/Security Settings and Click on Restricted Groups.
10. Right click on Restricted Groups and Click Add Group.
11. Name this group the same as the group you created in step 2.
12. Click OK to bring up the following screen:
13. Since we want to append our group to the local administrators group, not overwrite everything in the local adminstrators group, we want to click the “Add” button next to “This group is a member of”.
14. In the box that is brought up, type in “Administrators”, as is shown below:
15. Click Ok, Ok, then close out of “Group Policy Management”.
16. On a workstation that is under that OU, open a cmd prompt and run gpupdate/force to apply the settings (by default this will happen in 15 minutes or so, depending on your active directory setup).
17. You are now finished. The “Local Workstation Administrators” Group has been added to the local group, “Administrators.”
Agent Push Troubleshooting
To verify the security rights:
- From the NS Server, logged in as the Application identity, click on Run. Type in \\workstationname\admin$. If you get anything but the files in the remote computers Windows directory, then you do not have sufficient rights.
- From the NS Server, logged in as the Application identity, open up computer management. From computer management, right click and choose “Connect to another computer”. Type in the name of the workstation you are attempting to push the Altiris Agent to. Once it connects, see if you can view Local Users and Groups. If not, you do not have administrators rights.
Check Installation files:
- Under C:\Windows check to see there is a file called AeXNSCInstSvc.msi. This is the installation file. If it was not copied down, check (Verify the Security Options, #1)
- Check the installation log file AeXSWDInstSVC.log.