→ 🚀What's New? Join Us for the Fall Product Launch! Register Now !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mwrobo09
Champion Sweeper
I am wondering if I can get some clarification on the "Currently Logged On" credentials in deployments. Are the credentials that are used for this type of deployment, the currently logged on to the target computer or the currently logged on user in the Lansweeper webpage?

If it is not the Lansweeper user that is logged into the webpage, anyway to get this option?
5 REPLIES 5
cscherrey
Engaged Sweeper III
+1 on separating the deployment credentials from the scanning credentials. We too need to restrict deployments by servers and clients.
Fidget
Engaged Sweeper
To add to this topic, this is a feature we are additionally in need of. Our scanning credentials account is quite restricted and denied firewall access. When a deployment occurs, it is interrupting internet connectivity as the firewall sees AD authentication from the scanning account credentials. In order to resolve this we were going to setup a deployment account, but it seems the only functional work-around is to use a command instead of the installer option and prefix the installer with "runas /user:domain\user \\host\pathto\installer.exe" This will work as a functional workaround for this exact described problem, but it is not the correct solution as there should be functionality of defining a deployment account instead of using scanning credentials.

Added note: To make this method work, you have to initially do runas from the deploying account with /savecred on every single device, which can be a real annoyance to 'deploy' that.. otherwise psexec can pass through the password through cleartext and will function more like piping the password into sudo. Absurdly insecure, but it works for our small IT team of three who all have access to the password anyways. Again, this isn't a proper solution.
Esben_D
Lansweeper Employee
Lansweeper Employee
I understand the issue that you describe, I wish I could help you further, but unfortunately at this time the permissions are not suitable for allowing users to only deploy to specific assets or a group of assets.

I would recommend contacting your Lansweeper sales contact and explain to them that this functionality is critical to you. Additionally, I will link your topic to the existing feature request.

As for options that you have, in the near future at least, it will indeed be either not use deployment, or, try to create good guidelines on how to use it. Some things you can do to try and eliminate possible mistakes:
  • Create asset groups and reports which can be used by your desktop team (maybe give them a specific mark so that the desktop team knows that they are only allowed to use groups that start with DESK)
  • Clear listing of the naming convention for your servers, so they do not get accidentally selected for a deployment, alternatively, you can adjust your naming convention to make this even clearer.
mwrobo09
Champion Sweeper
My company is really interested in pushing lansweeper globally. We are currently running the ultimate version in some of our sites across the US and we are very happy with what Lansweeper provides us. We have been running this as a desktop support tool, and some of the other global regions and executives want to be able to see more information globally. We have a system in place that is the company record of choice, but it does not provide anywhere near the information we get out of Lansweeper.

One major hurdle I am running into is that the server team does not want anyone from the desktop team to be able to deploy anything to a server accidently. So at this point I can either turn off deployments for everyone, which will decrease the productivity of all the desktop support users that utilize it and love it, or not be able to get access to the servers with the scanning account. I thought about adding another account to only scan the servers with, but all the deployments I have setup all use the scanning credentials for their deployment method. So if there was an option to deploy via the user that is logged into the console, then this would then easily fit our security needs, because then the desktop support person would only be able to deploy to computers they have access to and not servers and vice versa for the server team. Then all access is controlled by our active directory infrastructure which will make our security team happy.

Another temporary quick fix would be to have default deployment account instead of the scanning credentials that I could then get that account added to the desktop admin group in our AD and then I could eliminate the possibility of someone deploying something to a server and messing it up.

Is there anyway to get this bumped up the list?
Ian_F
Lansweeper Alumni
The "Currently Logged On" run mode credential is the account of the user that is currently logged on to the Windows computer will be used to run the scheduled task.

Running deployments with the user currently logged into the web console is currently not possible. This feature request is already on our customer wish list, so I have linked your question to it. Features on our customer wish list get development priority based on a combination of user demand and difficulty to implement. As such, we cannot provide you with an estimated release date for when/if this feature might be implemented in a future Lansweeper release.