Changing BES client to use a AD service account and not System

I wanted to change the account that the BES client use from system to a AD service account. The reason is to have it run and have rights to the network. The question I have is what abilities will I lose by doing such. After testing I was able to patch the box, write to the registry and run a powershell script that will move a file over from a DFS share. So what other test can I run to see and test any abilities I will lose.

I don’t know of any and I do the same thing. The only thing that I have seen is that when you upgrade, you may have to go back in and change the BES Client to run as the that service account again. I have been running my environment like this for a few years now and haven’t noticed anything out of the ordinary. I also use this on a few relays where I need the same capabilities. Note: I also have that user set as an admin on the box I changed the BES Service to run as the service account.

1 Like

Here’s why you don’t want to do this:
Even if it works it will be the first thing that support points to when you have an issue – don’t change the user account that the bigfix client runs as.

It is also a big security issue to have a single user account whose password is on every single endpoint (the service account password is exposed on every endpoint that uses it) and for which the account has root access to every other box.

Here’s what you should do instead:
The besclient runs as the system account, the system account uses the computer account in Active Directory for accessing network resources. If you grant the computer account in active directory access to a resource (or put all your computers in a group and grant that group access to a resource) then the system account will have access to the resource and thus the besclient service will have access to the resource.

2 Likes

We only changed the user for this service on a few boxes, not every endpoint. Also, this account does not have root access to every other box, only the boxes specified. Interesting on granting the rights to the computer itself. I have never had an issue with support because of the user being changed on the BES Client. If your solution works though, it sounds like a viable option.

Changing the user the BESClient runs as severely limits many of the functional capabilities of the client. The client depends on the privileges of SYSTEM to do its work

3 Likes