Altiris sys account as domain admin?

naaron · 10-15-2008, 03:49 PM

Hi -

I have been asked to provide justification for why our Altiris systems are using a domain admin account. Honestly, even though I've worked with this stuff for 5 or 6 years now, at both jobs the system was configured as domain admin per the advice of the consultant.

I searched the forum and found some discussion on why it gets set up as domain admin, and the official stance in the doc that it does not need to be domain admin, but the user consensus seems to be that the hassles of it not being domain admin outweigh the risks of having the service account in domain admins.

I need to get a clear understanding, with examples if possible, of why.

My environment currently consists of 15k desktops, another 2k servers, and we have 5 DS, 5 NS, 2 SQL, and 20+ remote servers acting as local PXE.

We have taken steps to isolate processes in Altiris so that only the servers use domain admin rights, e.g. imaging got a special domain user account, pxe got a special domain user account, sql got an account for odbc, etc.

The domain account for the servers is what runs patch management, SWD, RAI and jobs from DS, etc. Only 2 admins know the account password.

If anybody could give me examples/pov on either scenario that would be much appreciated. thanks

rdotson · 10-15-2008, 03:58 PM

I am very new to Altiris as well. The way we deployed Altiris was to use a separate account which we had to put in all the local administrator groups. This was a hassle.

Putting the account in domain admins would have been much easier, but I didn't want the account to be a domain admin if it didn't have to.

depalo · 10-16-2008, 12:22 PM

the account does not need to be a domain admin.

domain admin is nice just in case u can't install an agent on a machine on the network.

otherwise, everything will work normally

andykn · 10-17-2008, 07:22 AM

There is a principle of "least privilege" that says each account should have only the minimum privileges it needs to do the work.

You should have a separate account for each task:

1/ NS Service Account "Application identity" - admin access to NS servers only
2/ SQL Access account - required access to NS database only
3/ Client "push" account - workstation admins only
4/ Software install account (if required for badly written software packages) - workstation admins only
5/ Proxy access

and so on.

None of these accounts needs to be domain admins and shouldn't be. My last place wouldn't allow the Altiris Agent on Domain Controllers at all because they would then effectively give domain admin rights to Altiris Admins.