what tool allows a computer to determine a user s identity with the most authority?
Assign Logon Script
Assign Script
The Assign Script dialog box provides the ability to assign a logon script to domain user accounts in order for the user to qualify for User Direction settings. Computers that are only going to be configured with administrator settings from Calculator Management profiles and objects are non required to have a logon script divers.
In addition to assigning a logon script to domain users, this tool can as well be used to query which users in your domain currently have a specific logon script assigned to them. Any user who is a Domain Admin has the power to update the assign/unassign logon scripts for users.
Select domain
On the left hand side of the Assign Script dialog, using the Agile Directory OU and Groups tree, select the domain, grouping or organizational unit that will exist used to locate users who volition exist assigned the Desktop Authority logon script.
Multi-select box 
The elements in the user list can exist selected i at a time or several at one time. You tin can select more than than one element in the listing using the Shift or Ctrl key in combination with a mouse click. To select multiple users, hold downwardly the CTRL central while clicking the private users to select. Consecutive users in the grid can be selected past clicking the first user to select and then, while holding down the SHIFT fundamental, clicking the last user to select. To select the entire list of users select the checkbox to the left of the column headers. This box will be empty if no users are selected and will be filled with a square if some users are selected. A user's selected condition may exist changed by clicking on it. If there is merely one user in the list, it will always exist selected.
Find users
Enter search criteria that will find matching Active Directory users. This is an inclusive search. Any user found with the search criteria in any role of the user name will exist institute as a match. Valid characters consist of [A-Z], [a-z] and [0-9].
Searching with a specific OU highlighted in the tree will search merely that specific OU.
Assign script
Click Assign script to assign a logon script to all selected users in the list. In most cases, the script to assign volition be SLOGIC. However, depending upon circumstances, this can be changed and the new script tin can be selected from the drop list to the left of the Assign script push.
Unassign script
Click Unassign script to unassign a logon script from all selected users in the list. The script may also be unassigned from a specific user by clicking the Unassign link in the Actions cavalcade. This link volition only announced for users who already take an assigned logon script.
User list
The User list displays all users that have an established network account. Shown in this listing are the User Name, Full Name, Description and associated logon script (if any).
GPO Deployment
GPO Deployment*
GPO Deployment will push button out and install an MSI file to each figurer in the targeted Domain or OU(s). The MSI file contains Desktop Authority's customer files and must exist installed to every computer that is to be managed past Desktop Say-so.
The GPO is configured by selectively targeting the root of the domain or OUs (Agile Directory Organizational Units) within the enterprise. 32-fleck and 64-bit systems tin too be selectively targeted. It is important to annotation that all computers within the selected domain or OU(s) will receive the customer files unless a computer is defined as an exception.
Calculator(s) to be excluded from the installation of the Desktop Authorization client files are configured in the Global Common Management Exception Options. Excluded computers will not receive the necessary Desktop Authority customer files that are necessary for the computer to be managed by Desktop Authority.
| | Of import: Client provisioning will determine the best fashion to install the customer files to each workstation. This may include the use of GPO Deployment. Client provisioning provides a style to install the customer files successfully on most computers in the network. |
| | IMPORTANT: GPO Deployment requires the Authenticated Users grouping to have Read, Execute and List NTFS permissions on the %windir%\SYSVOL\sysvol\%DomainName%\Policies\Desktop Authority\Desktop Authority Amanuensis 8.0 folder. If this requirement is not configured, Desktop Authorisation will automatically add the Authenticated Users group to this binder with the required permissions. |
General
Preferred domain
Select a preferred domain from the drop list to be used as the default domain against which queries are run. This includes the types of queries where domain specific data, such equally a list of domain controllers, is required.
Domain controller
If the client files location is set to SYSVOL, select a server from the driblet listing as the target for the client files.
WMI Filtering
Use WMI Filters
WMI Filters are used to fine melody the application of GPOs during a Grouping Policy refresh. A WMI Filter includes 1 or more WMI Query Language (WQL) queries. If any of these queries evaluate to True so the WMI filter is considered to evaluate to True and the GPO to which information technology is linked is applied. If the queries do not render annihilation in the resultant set then the GPO is not applied.
In most cases, this box should exist selected. If however, WMI is posing a specific environment issue, unselect this option.
GPO Deployment List
The GPO Extension will exist deployed to the selected domain or OUs in this listing. The extension is set to either Install or Uninstall the MSI. Click on a column header to sort the list either ascending or descending by the selected column.
Organizational Unit
The Organizational Unit to which the extension volition exist installed to or removed from.
32-flake systems/64-bit systems
The selected install mode for 32-bit and 64-bit computers.
Add
Click Add to configure an OU for GPO deployment. The selected OU will be added to the GPO Deployment list.
GPO Deployment is supported on Windows vii and in a higher place, Server 2008, Windows Server 2008 R2, Windows 2012, Windows 2012 R2, Windows Server 2016, Windows Server 2019, Windows 7, Windows eight.1 and Windows x. Windows Installer and .NET four.half-dozen are required on the target computers. Desktop Potency will install these software requirements, if necessary.
Get-go, the OU must exist selected. To practice this, navigate to the OU on the left hand pane. As you click on the OU, the Deploy DA Client to in the right hand pane will exist filled in with the choice from the left pane.
Next, select Install or Uninstall for 32-bit systems and 64-bit systems.
| | Annotation: Global Option Exceptions volition be respected. |
Confirm the selected settings and click Salve to complete the GPO Deployment configuration for the selected OU.
Click Abolish to get out without saving whatsoever GPO Deployment configurations.
Remove
Click Remove to unlink the GPO from the OUs selected in the GPO Deployment list.
Later on unlinking the GPO, the following dialog provides the opportunity to remove the GPO and the associated files.
This dialog is only visible when the terminal GPO element is removed from the GPO Deployment list.
Effigy 30: Delete GPO and associated files confirmation dialog
Delete Desktop Authority GPOs
Selecting this box volition delete the GPOs and WMI filters.
Delete Desktop Authority Customer files from SYSVOL
Selecting this box will remove the Desktop Authority Amanuensis 8.0 folder nether SYSVOL. The default path to this folder is C:\WINDOWS\SYSVOL\sysvol\[domain]\Policies\Desktop Authority\Desktop Authorisation Agent viii.0. This folder volition exist removed from one Domain Controller. During the course of normal replication on the domain, it will be removed from all other Domain Controllers.
Delete Desktop Dominance device policy master files from SYSVOL
Selecting this box will remove the Device Policy Master folder under SYSVOL. The default path to this folder is C:\WINDOWS\SYSVOL\sysvol\[domain]\Policies\Desktop Authority\Device Policy Master. This folder will be removed from one Domain Controller. During the course of normal replication on the domain, it volition be removed from all other Domain Controllers.
If both checkboxes, Delete Desktop Dominance Client Files from SYSVOL and Delete Desktop Authorisation Device Policy Master files from SYSVOL are selected, the Desktop Authority folder nether SYSVOL will exist removed forth with all the folders and files underneath information technology. The default path to this folder is C:\WINDOWS\SYSVOL\sysvol\[domain]\Policies\Desktop Authority.
Edit
Click to edit the selected OU settings. Change either the 32-bit or 64-flake install modes.
Verify GPOs
Click Verify GPO'due south to confirm that the Desktop Potency GPO extensions and WMI filters are upwards to date correctly configured.
Update GPOs
Click this button to increase the GPO extension internal version to the specified OUs. Once the version is incremented, the GPO volition be recognized as a new version. Information technology will exist executed on any customer whose version is different.
Refresh
Click Refresh to update the GPO Deployment listing.
Client Provisioning
Customer Provisioning
There are two means in which Desktop Authority can deploy the necessary client files to machines that will exist managed by Desktop Authorization. Desktop Authority uses Client Provisioning which encompasses both GPO-based Deployment and Logon-based Deployment. Customer Provisioning dynamically chooses from the best of several deployment approaches at runtime. The specific technique used depends on the client environment, and the obstacles present in that environment.
Figure 31: Customer Provisioning overview
Desktop Authority GPO-based Deployment and Logon-based Deployment can both be used to deploy the Desktop Authority technology to client workstations and/or servers. They differ from each other in regard to the permission levels needed to reach the deployment. It is important to note that DA GPO does not require a user to login for the client files to be installed to the client, whereas the other methods used to deploy the client files will require a user logon. This is important to consider when provisioning workstations or servers.
Deploying the Privileged Customer-side Extension with GPO-based Deployment requires college permission levels than not-domain admins, such as an OU Admin would typically have. Therefore, in some cases an OU Admin would non be able to configure the customer file deployment without assistance from a Domain Admin, which defeats the purpose of having an OU Admin.
It is due to this privilege level issue, that Smart Client Provisioning has been implemented. Client Provisioning volition go through the following series of steps to get the DAClientInstall.MSI deployed or installed on a machine.
- Attempt to install the client files (DAClientInstall.MSI) with the user's credentials. This will be successful just if the user is a local admin.
- If using the user credentials does non successfully install the client files, then an try to install the files using a process that is launched administratively via WMI. Information technology is possible that a firewall may cake WMI communications. TCP ports 135 or 445 may be opened to allow a remote WMI connect.
- If using WMI does non successfully install the file, then an attempt is made to use a process installed as a service via SCM (Service Command Managing director). It is possible that the firewall may block remote SCM calls.
- If the in a higher place fails, an effort to install the MSI volition exist made using a process, run administratively, that uses token elevation. This method may require an UAC prompt to the user.
- If the above fails, and so brandish the UAC prompt and install the MSI using a procedure, run administratively, using token summit.
- Otherwise, GPOs must be used to install the MSI. The utilise of GPO's is still required if you want no-touch provisioning of machines.
| | Important: It is important to note that if WMI fails to let a remote connectedness, TCP ports 135 or 445 may be opened to permit this connexion to exist successful and thereby allow the installation of the client files. Opening these ports may be easier to configure than to configure GPO deployment throughout the enterprise. |
Client provisioning settings
Logon-based provisioning
Customer files location
With Logon-based Deployment, customer files can be delegated to client machines via NETLOGON, a custom NETLOGON or SYSVOL. This makes the Logon-based Deployment very flexible.
Select either NETLOGON or SYSVOL from the drop down carte. Client files volition be replicated to the specified location and practical to each client reckoner when a user logs into the figurer with the Desktop Authorization logon-script (slogic.bat).
Select NETLOGON to utilize any NETLOGON share to store the customer files. Using NETLOGON allows the NETLOGON share (or any custom share hosting the user files) to be used.
Selecting SYSVOL volition allow client files to be stored in a single place, to be shared between GPO and logon-based provisioning.
| | Notation: When using both Logon-based Deployment and GPO-based Deployment, using the SYSVOL location is the nigh efficient. The file location is shared for both GPO-based and Logon-based Deployments. This is well-nigh useful in large environments. Using SYSVOL requires domain admin privileges. |
Display mistake message if provisioning fails
Select this box to display an mistake bulletin if the logon provisioning fails for some reason. This fault will be displayed on the client.
Allow UAC dialog to be displayed if necessary
Select this box to ensure that the logon-based provisioning completes successfully on the client, if UAC is enabled on the computer. During the provisioning process, a Windows UAC dialog volition exist displayed, if necessary. This may be required if the client-side firewall is unusually restrictive. The user must have the asking. If the permission is not granted or this box is not selected, Desktop Authority may not exist able to provision the reckoner properly.
Software Distribution
Software Distribution*
MSI packages incorporate all necessary files an awarding needs in order for information technology to be installed using Microsoft's Windows Installer. Windows Installer tin install and/or uninstall MSI packages for whatsoever application regardless of the install package used by the manufacturer. Administrators can customize an MSI package by creating a transform (.MST) file. The transform can provide answers to Windows Installer when the MSI file calls for user input, such as choosing which options to install or the right installation path. Information technology tin can too remove unwanted features from the basic installation. MSP files are Microsoft Windows patch files that are updates to applications that accept been previously installed with Windows Installer.
The Desktop Authorisation Software Distribution object is used to manage a repository of Microsoft Windows Installer (MSI, MST, MSP) packages.
The Software Distribution object provides the ability to:
- import packages into its repository.
- export packages from its repository.
- delete packages from the repository.
- publish packages for deployment using the Desktop Authority MSI Packages object.
- unpublish packages, i.east., remove them from use past the MSI Packages object.
- determine the differences betwixt published and unpublished packages.
Effigy 32: Software Distribution process overview
Desktop Authority accesses Windows Installer packages, providing the ability to Import, Export, Modify, Delete and Publish these packages.
Multi-select packages
Ane or more packages may be selected in the Software Distribution list by using the Shift or Ctrl key in combination with a mouse click. To select multiple packages, hold down the CTRL key while clicking the individual packages to select. Consecutive packages in the grid tin be selected by clicking the first parcel to select and so, while holding downwards the SHIFT central, clicking the last package to select. To select the entire list of packages select the checkbox to the left of the column headers. This box will be empty if no packages are selected and will be filled with a square if some packages are selected. A package's selected status may be changed by clicking on it.
Import
Click Import to copy a Windows Installer package into the Desktop Authorisation repository. The Installer file must be an existing MSI, MST or MSP package.
Export
Click Export to copy a Windows Installer bundle from the Desktop Authorisation repository to another divers location.
Publish
Click Publish to make the selected packages available for install by Desktop Authority'due south MSI Packages object. The MSI parcel file is not initially copied to the server that the update service is installed to. However, when the client motorcar requests the packet, the MSI bundle is copied to the server that the Update service is installed to. If a package is never requested past a client, it will not exist on the server.
For configuration information on the Update Service, see What is the Update Service?
Unpublish
Click Unpublish to remove Windows Installer packages from all distribution servers.
Delete
Click Delete to remove a Windows Installer package from the Desktop Say-so repository.
Refresh
Click Refresh to freshen the Software Packages listing.
Software packages listing
The Software Packages listing defines all Windows Installer packages that are available for deployment. This includes MSI, MST and MSP files. Packages must be imported into the Desktop Authority repository to show in this listing. The following data is available about each bundle in the list: Product Proper noun, File Proper noun, Published Condition, Published Date, Manufacturer, Type, Version, Product Code, and File Size.
Evidence differences
Click Bear witness Differences between the published and unpublished versions of the selected parcel, if any differences exist.
This function is only bachelor if the MSI is published and there are determined to exist differences between the published and unpublished version of the parcel. If it is adamant that at that place are no differences between the published and unpublished version of the bundle, this button will be disabled.
| | Note: This feature is non a standard part of Desktop Authority Essentials. To obtain this feature, Desktop Authority Essentials must be upgraded to the full version of Desktop Authorisation. |
Source: https://support.quest.com/technical-documents/kace-desktop-authority/11.1/administrator-guide/24
0 Response to "what tool allows a computer to determine a user s identity with the most authority?"
Post a Comment