Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IBM Director Padlocked systems

Status
Not open for further replies.

Salido165

MIS
Dec 2, 2005
2
US
When ever we discover a new system in Director 5.1 as a level 0 System the machine comes in locked. That's ok, but the only way we can unlock the system is by using the Build In Local Administrator account. I am a domain admin and have local admin rights on the box. I have even added my account to the local admins group and I am still unable to unlock the system using my credentials. Has anyone encountered this? How do I get Director to work with members of the Administrators Group not with just the Administrator Account.
 
when you installed director, did you set the services up to run as an account with domain privilages or as the local admin because the local admin account has no authority over other systems?

Stiddy

HTH - Stiddy
 
If you installed it as a local account, simply create a domain account, stop all director services, set the to run as the new account, start all services.

HTH - Stiddy
 
It was installed as a domain user. Does the domain user account that was used to install Director need to be an administrator on all of the servers in our domain?
 
I like service accounts to have as few priveleges as possible, so we installed Director using a local account also, not a domain acount or domain admin account.

You have to way the princible of least privilege againt the usefullness of having IBM director atomaticly have admin controll of boxes it scans. Now boxes running the full agent are already very controllable, it seems that in this case my own windows domain admin credentials I logged onto the Director console with, are used to control agent actions.

The systems we have discovered and are now level 0 clients, I am happy to leave them padlocked untill I need them, and even then, IBM director remembers the admin creds for these systems.

But I would much much rather have it that IBM simply try my own logon creds when attempting to contact level 0 clients, instead of forcing you to local admin creds. It should not be done using the IBM service account creds, that is a very wrong approach to isolation and security.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top