When ever we discover a new system in Director 5.1 as a level 0 System the machine comes in locked. That's ok, but the only way we can unlock the system is by using the Build In Local Administrator account. I am a domain admin and have local admin rights on the box. I have even added my account to the local admins group and I am still unable to unlock the system using my credentials. Has anyone encountered this? How do I get Director to work with members of the Administrators Group not with just the Administrator Account.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
IBM Director Padlocked systems
- Thread starter Salido165
- Start date
- Thread starter
- #4
I like service accounts to have as few priveleges as possible, so we installed Director using a local account also, not a domain acount or domain admin account.
You have to way the princible of least privilege againt the usefullness of having IBM director atomaticly have admin controll of boxes it scans. Now boxes running the full agent are already very controllable, it seems that in this case my own windows domain admin credentials I logged onto the Director console with, are used to control agent actions.
The systems we have discovered and are now level 0 clients, I am happy to leave them padlocked untill I need them, and even then, IBM director remembers the admin creds for these systems.
But I would much much rather have it that IBM simply try my own logon creds when attempting to contact level 0 clients, instead of forcing you to local admin creds. It should not be done using the IBM service account creds, that is a very wrong approach to isolation and security.
You have to way the princible of least privilege againt the usefullness of having IBM director atomaticly have admin controll of boxes it scans. Now boxes running the full agent are already very controllable, it seems that in this case my own windows domain admin credentials I logged onto the Director console with, are used to control agent actions.
The systems we have discovered and are now level 0 clients, I am happy to leave them padlocked untill I need them, and even then, IBM director remembers the admin creds for these systems.
But I would much much rather have it that IBM simply try my own logon creds when attempting to contact level 0 clients, instead of forcing you to local admin creds. It should not be done using the IBM service account creds, that is a very wrong approach to isolation and security.
- Status
