5 Replies Latest reply on Oct 23, 2013 3:38 PM by Bill Robinson

    BSA Patching

    Andreas Khan


      Hi, We have a requirement ofr patching a sub set of Windows Servers using a locally mapped user account that is not a member of the local adminstrators, is it possible to map the agent to the local system user context?  or are there other options for this type of requirement.

       

      thanks

        • 1. Re: BSA Patching
          Bill Robinson

          why can't you map to a local administrator account?  right now there is no provision to run as the localsystem account.  if the server owner is willing to let you 'map' to localsystem, why wouldn't they be willing to map to a local admin account ?

          • 2. Re: BSA Patching
            Andreas Khan

            Thanks for the reply Bill. The servers in question are Domain controllers, so looking to grant the least amount of privillages to perform the task to comply with security policy. The local admin would have to be a Domain Administrator for DCs using a domain user account mapping i assume.

            • 3. Re: BSA Patching
              Bill Robinson

              There are some patches that interact w/ AD, and even if you ran as local system you’d have the same level of privs (or could get the same privs) as a domain admin.  You can map to a domain admin and not allow interactive logins to that account and restrict the role in bsa to only run patching jobs.

              • 4. Re: BSA Patching
                Andreas Khan

                yes agreed in part, but in terms of security policy using localsystem is far easier to sign off as opposed to creating a dom user thats a member of the dom admins group.  It may be a question better placed with MS, but have you any experience or knowlege of anyone thats used BL mapped to a lower privilaged group (backup ops for example)  .. if there's no other way then at least any avenues have been explored ...

                 

                thanks

                • 5. Re: BSA Patching
                  Bill Robinson

                  This has been brought up before and it’s not possible.  you have to be a member of administrators to install patches on a domain controller.