Raynor

Deployment Options: Remote vs. Local Admin Credentials

Recommended Posts

First of all, sorry for this noob-like question ;)

I am currently evaluating if Emsisoft Enterprise Console (combined with EAM) might be a future option
for our small business network (one Windows Server 2016, mainly used as file server, Active Directory domain,
about 30 client computers). EEC would be installed on our Win 2016 server, EAM on all of the clients.

So far, I have skimmed across the EEC manual (we have not installed anything yet / decided on buying anything yet).
And while most things seem pretty clear to me, there is one thing I can't get my head around:

What is meant by Remote & Local Admin credentials (see screenshot)?

Our 30 or so client computers all have a local admin account that is used for all admin purposes concerning the client PCs.
I am talking about the "admin-like" local user account that is created during a standard windows installation
(the one you get to choose a user name for), NOT the "Administrator" account (which is disabled by default, and still is).

Users logon their computers with domain user accounts that only have user privileges (no roaming profiles or other fancy stuff).

And, of course, the server itself has its own (local) Administrator account, which is used when administering the server.
That's about it.
 

So what would have to be entered for Remote & Local Admin ?
Do both fields have to be filled in ?
If so, why ?

Yes, I know it's a beginner's question (sorry), but right now I'm a bit stumped ;)

Thanks
Raynor

 

 

 

 

Admins.png
Download Image

Share this post


Link to post
Share on other sites

Hi Raynor

Your question is actually quite expected and not noob-like at all.

The EEC service performs all actions, like deploy, and therefore needs to impersonate on the server, as local admin.

this is the -Local administrator- account.

 

The EAM installer requires a local admin account to be able to run.

This is the -Remote Administrator account for selected computers-

So yeah, you have to fill-in both.

 

Please note that you need to run a prepare batch script on the target clients, which you can find in the folder C:\Program Files\Emsisoft Enterprise Console\server\Scripts

There are 2 batchfiles:

Prepare_PC_for_Deployment.bat
Prepare_PC_for_Deployment_UAC_Disabled.bat

The latter one needs to be run when UAC is disabled on the client.

Does this help ?

Share this post


Link to post
Share on other sites
1 hour ago, Frank H said:

The EEC service performs all actions, like deploy, and therefore needs to impersonate on the server, as local admin.

this is the -Local administrator- account.

So, If I understand you correctly, the Windows Server 2016 LOCAL Administrator account would have to be entered here,
so that the EEC service can run in the background on the server with Admin privileges , even when no user is logged on, right ?

 

1 hour ago, Frank H said:

The EAM installer requires a local admin account to be able to run.

This is the -Remote Administrator account for selected computers-

This I do not fully understand. If you look at the screenshot it says "Domain\User:" at the top just under "Remote Administrator Account".
But we do not use domain administrator accounts (i.e. users with administrative rights listed in Active Directoty), just the normal users have domain user accounts.
There is just a local admin on every PC, (the admin-like user created during the Windows installation).

How would I enter that user ? Just the Username, without any Domain name in front of it?
 

1 hour ago, Frank H said:

Please note that you need to run a prepare batch script on the target clients, which you can find in the folder C:\Program Files\Emsisoft Enterprise Console\server\Scripts

There are 2 batchfiles:

Prepare_PC_for_Deployment.bat
Prepare_PC_for_Deployment_UAC_Disabled.bat

The latter one needs to be run when UAC is disabled on the client.

Well, The local admin (which will be used to start the scripts) is just the admin-like user created during windows installation, as mentioned above.
So UAC should be active for that user (as that user is nor a "real" admin and just gets its privileges elevated when required).
So I would just run the first script, right ?

Thanks again and best regards
Raynor

Share this post


Link to post
Share on other sites

Hi

Quote

 

So, If I understand you correctly, the Windows Server 2016 LOCAL Administrator account would have to be entered here,
so that the EEC service can run in the background on the server with Admin privileges , even when no user is logged on, right ?

nope, EEC service only needs to impersonate locally with admin privileges during the deploy process.

 

Quote

How would I enter that user ? Just the Username, without any Domain name in front of it?

Correct. the domain or workgroup  is optional

 

Quote

So I would just run the first script, right ?

Correct

Cheers

 

 

Share this post


Link to post
Share on other sites

Thank you,
now it's clear to me.

One more thing:
If you look at Page 83 and the following pages of the "Getting Started" user guide (see attached screenshot),
instructions are given there on how to configure a couple of Group Policy settings on the server (mostly firewall execptions).
I am talking about "Allow inbound File&Printer Sharing", "Allow Remote Administration", "AllowICMP",
and "Enable Remote UAC LocalAccountTokenFilterPolicy".

This is the way I would plan on preparing everything. Would setting all these GPOs on the server (for all client computers)
be enough, or would it STILL be necessary to run a batch script file  Prepare_PC_for_Deployment.bat) on a client PC ?

Serverconfig.png
Download Image

Share this post


Link to post
Share on other sites

Hi,

We are currently updating the manual, as it might be a bit confusing here and there.
Best practice is when you check the batchfiles yourself and see what they do, it's not that special, and apply that in your GPO.

Share this post


Link to post
Share on other sites
On 10/6/2017 at 11:41 PM, Frank H said:

Hi,

We are currently updating the manual, as it might be a bit confusing here and there.
Best practice is when you check the batchfiles yourself and see what they do, it's not that special, and apply that in your GPO.

Yes, it is indeed a bit confusing, that's what I noticed as well.

But back to my question: So it is possible to set everything required on the Server via GPO,
so that all the clients are automatically configured via the GPO they get from the sever, right ?

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.