How to create DS users with permissions and rights

book

Article ID: 181534

calendar_today

Updated On:

Products

Deployment Solution

Issue/Introduction

 

Resolution

Question

How do I create DS users who have permissions and rights?

Answer

Altiris recommends that customers create a separate user that has Administrative rights on the Deployment Server. This allows the Deployment Server to schedule an event to a computer that contains a reconfigure task. If this is not possible due to security concerns, create a user with the following rights:

  • For NT 4 PCs—Domain Administrator
  • For Windows 2000—Manage Computers within the Domain
  • For Windows 9X/Me—No adding to the domain performed or needed

It is also recommended that a separate user is created that has Administrative rights to the Client Access Point; however, if this is not possible due to security concerns, create a user that has the following rights for each component to access the Client Access Point:

BootWorks (DOS Client that is run from Hidden or Embedded bootworks partition or through PXE)

[RF] - Netware share for Image Download
[WC] - Netware share for Image Upload
[RX] - NT share for Image Download
[W] - NT share for Image Upload

Deployment Server

[RF] - Netware share for downloading RIPs
[RX] - NT share for downloading RIPs

Rights needed to launch the Win32 and WebConsole from a workstation: Until recently to launch either the Win32 or WebConsole the user logged into the workstation machine had to have the DBO role to the Express database. There is now a tool named eXpress>Deployment Server> Techsup> Windows>DSDBSecurity.exe  that examines the Express database’s Tables, Stored Procedures and Views and gives permissions to the PUBLIC role so that the logged on user doesn't have to the DBO role to the Express database

A short explanation and is provided below:

Launch the DB Security Update utility. When it launches press ‘Connect’ to connect to the database after you have the correct login information. When a connection to the database is made, it will set the appropriate PUBLIC role privileges all of the Tables, Stored Procedures and Views in the Express Database. For most users, this is all of the utility that will need to be used.

If you want to add users to SQL and set rights on the Express database click on Users.

There are four options:

  1. SQL Server Logins: This option allows you to create and delete Windows or SQL accounts on the SQL server. It also allows you to add it to the Express DB. Note: You must create a SQL Server Login (Windows Authentication or SQL Authentication) before you give that login user access to a database or make it a member of a role.
  2. eXpress DB Users: These are the user accounts that have access to the eXpress database. This screen allows you to Delete users from the Express Database and give users Database Owner rights to the Express database.
  3. DB Owners: These are the users that have db owner rights to the eXpress database. Note if you delete a user from dbo owner they will still have public role to the database. The DBO Owner can be deleted. Altiris recommends that this screen be used for Informational purposes only.
  4. Public Roles: These are the users that have public right to the eXpress database. (Information Only)

Console PC (Launching RapidInstall, PC Transplant, Boot Disk Creator, Image Explorer)

[RF] - Netware share to open RIPs, Images for Read access
[WC] - Netware share to edit, create, modify RIPs and Images
[RX] - NT share to open RIPs, Images for Read access
[W] - NT share to edit, create, modify RIPs and Images

Altiris Services

  • Console Manager: Run as either a local admin or domain admin that has DBO rights to the Express Database
  • Data Manager: Run as either a local admin or domain admin that has DBO rights to the Express Database. If Role Based security is enabled and Active Directory users are used to authenticate to the Web Console, this service must run as a domain user that has at least read access to the OU in which the users resides
  • DB Management: Run as either a local admin or domain admin that has DBO rights to the Express Database. The DB Management user must have access to the SQL server.
  • Express: Run as either a local admin or domain admin that has DBO rights to the Express Database
  • PXE Config: Local System
  • PXE MTFTP: Local System
  • PXE Server: Local System