Windows authorisations required for the use of ACMP
In order to ensure the smooth and trouble-free use of various solutions and applications in ACMP and AESB, certain authorisations are required for various accounts
The account authorisations required for the respective use cases are listed below.
ACMP
ACMP Server, Console and components
- A Windows user with administrative rights on the system is required.
Agent installation
If the installation of the agent is to be automatic via installation rules or pushed, the following rights are required.
- A user with read, write and execution rights on the administrative network share "admin$" is required.
- Administrative rights are required for installation.
- Administrative rights are required for installation from the ACMP Server share via Launcher.exe.
Note:
A connection test to the Admin$ share can be executed via %Computername% \Admin$ from the ACMP Server.
ACMP Console login with Active Directory users
To enable the login of domain users: A user must be stored in the settings who can read the users and groups in the AD. The import takes place via an AD group, which is stored in the ACMP group "AD Login".
Note: In the standard configuration, the predefined group "Pre-Windows 2000 compatible access" has the required authorisations.
ACMP Kiosk
- If conditions with a domain reference are used in the ACMP Kiosk, the logged-in user must have the corresponding read rights.
OS Deployment
- A user with the "Create computer objects" right is required if the Client is to join the domain during the Rollout.
- To join the domain, the user must also have the right "Add workstations to the domain".
File Repositories
For synchronisation from the Server to the file repository:
- Read and write permissions to the target directory are required.
- For Samba (SMB / Windows share), read and write permissions are required in the network share settings (for the user performing the synchronisation).
For synchronisation from the file repository to the agent:
- Only read rights to the source directory are required, as the agent can only download files from the file repository. If the agent is to upload files to the file repository, these are always uploaded to the ACMP Server, so that nothing can be uploaded directly to the deployed file repos by the agent.
Note:
Local accounts can also be used in the Server and Client connection settings.
Licence Management
- Read rights must be granted for the required users/groups/OUs and computers in the AD in order to add computers or users of a domain as usage of a licence.
AESB
Contacts Adapter
- Read rights must be granted for the required users/OUs in the AD in order to be able to import users of a domain as contacts in ACMP.
Note:
If this adapter is also to take deleted objects into account, the AD user must have read rights to the "Deleted Objects".
By default, only AD admins have this right!
Container Adapter
- Read rights must be granted for the required computers/OUs in the AD in order to be able to insert OUs and computers of a domain as containers with statically linked Clients in ACMP.
Note:
If this adapter is also to take deleted objects into account, the AD user must have read rights to the "Deleted Objects".
By default, only AD admins have this right!
Unix Agent
- Access with root rights via the SSH server is required to deploy the agent to a Unix system
- If the installation files are already on the Linux (previously copied to the system via a network share), SSH access is not required, but only either a user with root rights or a user who is authorised to obtain root rights via sudo.