BatchPatch Forums Home › Forums › BatchPatch Support Forum › Batchpatch compatibility with aad only environments
- This topic has 2 replies, 2 voices, and was last updated 2 months ago by brickman.
-
AuthorPosts
-
October 18, 2024 at 1:18 am #14293brickmanParticipant
Hello,
We are in the process of transitioning to an AAD-only authentication system and due to security requirements are not going to be creating local accounts.
We also use jump boxes for our administrative level tasks and so the accounts of the machines are not known to each other without entering alternate credentials into the grids
I unfortunately haven’t been able to find the information for batchpatch being able to authentication with these conditions (if it does exists could I please have a link /directions the the information)
If not do you have any intentions for batchpatch to be able to authentication in this way that is in development or is planned to be included?
Hybrid azure ad environments are also not really an option for us either with our project path forward
Thankyou very much for your time
BrynOctober 18, 2024 at 12:37 pm #14294dougModeratorI don’t know enough about your particular setup or AAD to be absolutely 100% certain of what I’m about to say, but I’m pretty confident that you should be able to use BatchPatch as-is with the setup that you described.
In a standard on-premises AD domain, the primary way that BP users authenticate is by logging on to the BatchPatch computer with an account that is a member of the local administrators group on the target computers (or a member of a security group where the security group is a member of the local administrators group on the target computers). This way when the administrator launches BatchPatch, it runs with the permissions that it needs to be able to perform its tasks on target computers without having to manually specify any credentials in the software itself (because the software is already running in the context of the user that has been granted the required permissions on the target computers by having been put into the local administrators group on the target computers). Or if they don’t log on to the BatchPatch computer with the permissioned account, they might log on to the computer with a different account but then use “run-as” to launch BatchPatch in the context of the permissioned account.
I think with an AAD setup you’ll do the exact same thing. You’ll put the AAD account in the local administrators group of all target computers (or you’ll put the AAD account into a security group where the security group has been added to the local administrators group of all target computers). Then you’ll log on to the BatchPatch computer as that AAD account and then launch BatchPatch (or you’ll log on to the BatchPatch computer with a different account but then launch BatchPatch using “run-as” so that it runs in the context of the AAD account that has been granted local administrator permissions on the target computers).
October 20, 2024 at 9:09 pm #14295brickmanParticipantHi Doug, thanks for the quick reply.
We came to a similar method after making the post but great to get some confirmation we were going about it the right way.
Thanks again for the assistance
Cheers
Bryn -
AuthorPosts
- You must be logged in to reply to this topic.