- This topic has 0 replies, 1 voice, and was last updated 10 years, 8 months ago by .
-
Posts
-
When you use Integrated Security, BatchPatch authenticates with remote/target computers using the account that you use to launch the BatchPatch.exe process on this computer, which is usually the same account that you are currently logged on with.
If you specify Alternate Credentials in this form and then save your grid to a .bps file, the passwords in the .bps file will be encrypted. However, anyone who has a copy of the .bps file could obtain the actual unencrypted passwords, so it is very important that you do not share a password-containing .bps file with anyone who should not know those passwords.
Using Integrated Security with a Domain Account:
1. The domain account that you use to launch BatchPatch must be a member of the local administrators group on the target computer.
Using Integrated Security with a Local Account:
1. The local account that you use to launch BatchPatch must also exist on the target computers, defined with the exact same username and password that is defined on the computer running BatchPatch.
2. If the local account you are using to run BatchPatch is THE built-in administrator account on the target computers, the following registry DWORD must be set to 0 on the target computers. When this DWORD is set to 0, the built-in administrator account is set to full-token mode, and BatchPatch will work properly. However, if it’s set to 1, the built-in administrator account is put in admin-approval mode, which will prevent most BatchPatch actions from completing successfully for those target computers:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemFilterAdministratorToken
(only required for Vista/7/2008/2008R2/2012)
3. If the local account you are using to run BatchPatch is not THE built-in administrator account on the target computers, but instead is just a regular named local account that is a member of the local administrators group on the target computers, then the following registry DWORD must be set to 1 on the target computers:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemLocalAccountTokenFilterPolicy
(only required for Vista/7/2008/2008R2/2012)
Using Alternate Credentials with a Domain Account:
1. The account that you specify must be a member of the local administrators group on the target computers.
Using Alternate Credentials with a Local Account:
1. The account that you specify must be a member of the local administrators group on the target computers.
2. If the local account that you specify is THE built-in administrator account on the target computers, the following registry DWORD must be set to 0 on the target computers. When this DWORD is set to 0, the built-in administrator account is set to full-token mode, and BatchPatch will work properly. However, if it’s set to 1, the built-in administrator account is put in admin-approval mode, which will prevent most BatchPatch actions from completing successfully for those target computers:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemFilterAdministratorToken
(only required for Vista/7/2008/2008R2/2012)
3. If the local account that you specify is is not THE built-in administrator account on the target computers, but instead is just a regular named local account that is a member of the local administrators group on the target computers, then the following registry DWORD must be set to 1 on the target computers:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemLocalAccountTokenFilterPolicy
(only required for Vista/7/2008/2008R2/2012)
- You must be logged in to reply to this topic.