Altiris Notification Server and Altiris Agent user Security requirements

book

Article ID: 179482

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

Question
Altiris Notification Server and Altiris Agent user security requirements.
 

Question 1: What credentials are needed by the Altiris Application Identity?
Question 2: What rights are needed to be able to install agents, software packages, and so on on the local client computers?

Answer
 

Answer to Question 1:
This account needs local administrator rights to the Notification Server. If this account is to be used for Altiris Agent Push tasks, it must also have the rights documented in item 2.

Answer to Question 2:
The ability to:

  1. Install and run as a service (Logon as a Service),
  2. To create and remove folders.
  3. To write to the admin$ share.
  4. Act as part of the operating system.
  5. Impersonate a client after authentication.
  6. Access to the registry.

These are all rights that are required to install agents, deliver software, and so on on the local client computer. Essentially, this is the same as having local administrator permissions or rights. When installing agents, the credential fields are key to the Altiris Agent push. If no credentials are chosen, it will use the account specified as the Application Identity/Application Credentials. If pushing the Agent in a multi-Domain or Workgroup environment, the account used for the push must have local Administrator privileges on the computers you are pushing to. Credentials can be set on individual packages via Software delivery to reflect a logged on user, as well as the Application Identity, or local administrator.

Under Administrative Tools, there is an option for Local Security Policy. Under this option, drill down to Local Policies > User Rights Assignments. Locate the option for Act as part of the operating system. Make sure the account specified for Software Delivery exists here and has administrative rights.

Verify that the account has the specified advanced privileges and using regedt32, verify that it has rights to the HKEY_LOCAL_MACHINE\\SOFTWARE\\Altiris\\EXpress\\Notification Server key in the registry.