Action script, domain account, and UNC's

(imported topic written by GH6591)

Hi,

I’m toying with the idea of running the BESClient service under a domain account on selected end-points, the reason for this is to allow an action script to run installation programs on the end-point from a standard secure network share without having to set up null session shares. While I’m tinkering though I thought I’d ask - has anyone tried this kind of thing and found any “gotcha’s”?

Regards,

Graham

(imported comment written by BenKus)

Hi Graham,

I have heard people do this before, but we do know there are lots of potential issues here:

  • The agent won’t be able to interact with the desktop. For 6.0, this means that no message boxes can be displayed to the user. For 7.0, it means that whatever processes the agents run will not be visible to the user (this could be good or bad depending on what you want to do) but message boxes should still work fine (although you should test this) because of the BESClientUI.exe app is launched as a user process.

  • The user would of course need to be an admin, but even so, you may hit unforeseen permissions issues if the user for some reason didn’t have certain permissions.

  • Changing passwords for your service for all agents would be a nightmare.

  • BigFix Agent Upgrades have no special mechanism to preserve the service “Logged on as a user” info and you would need to test to see if this gets reset on upgrade.

  • and I am sure there are more things that could be different but we haven’t ever tried this much to have detailed experiences for you…

Ben

(imported comment written by jessewk)

Hi Graham,

I second Ben’s opinion that you are getting into uncharted territory that is likely to cause more headaches that it’s worth. If the issue you’re trying to resolve is access to null session shares, you’d be much better off converting your actions to download the installation programs rather than grab them from a null session. If you search around the forum you’ll find some examples and also explanations as to why downloads are preferable (speed, reliability, network impact, security, etc…).

Jesse

(imported comment written by GH6591)

Thanks both.

I hear what you’re saying and I know that if I go down this route of using a domain account that I’d better have good reasons. The final implementation may have more to do with related human processes than technical ones…

Cheers,

Graham