- This topic has 2 replies, 2 voices, and was last updated 4 weeks ago by .
-
Posts
-
Hello,
We are in the process of transitioning to an AAD-only authentication system and due to security requirements are not going to be creating local accounts.
We also use jump boxes for our administrative level tasks and so the accounts of the machines are not known to each other without entering alternate credentials into the grids
I unfortunately haven’t been able to find the information for batchpatch being able to authentication with these conditions (if it does exists could I please have a link /directions the the information)
If not do you have any intentions for batchpatch to be able to authentication in this way that is in development or is planned to be included?
Hybrid azure ad environments are also not really an option for us either with our project path forward
Thankyou very much for your time
BrynI don’t know enough about your particular setup or AAD to be absolutely 100% certain of what I’m about to say, but I’m pretty confident that you should be able to use BatchPatch as-is with the setup that you described.
In a standard on-premises AD domain, the primary way that BP users authenticate is by logging on to the BatchPatch computer with an account that is a member of the local administrators group on the target computers (or a member of a security group where the security group is a member of the local administrators group on the target computers). This way when the administrator launches BatchPatch, it runs with the permissions that it needs to be able to perform its tasks on target computers without having to manually specify any credentials in the software itself (because the software is already running in the context of the user that has been granted the required permissions on the target computers by having been put into the local administrators group on the target computers). Or if they don’t log on to the BatchPatch computer with the permissioned account, they might log on to the computer with a different account but then use “run-as” to launch BatchPatch in the context of the permissioned account.
I think with an AAD setup you’ll do the exact same thing. You’ll put the AAD account in the local administrators group of all target computers (or you’ll put the AAD account into a security group where the security group has been added to the local administrators group of all target computers). Then you’ll log on to the BatchPatch computer as that AAD account and then launch BatchPatch (or you’ll log on to the BatchPatch computer with a different account but then launch BatchPatch using “run-as” so that it runs in the context of the AAD account that has been granted local administrator permissions on the target computers).
- You must be logged in to reply to this topic.