There isn't a specific option to allow a set of credentials to be used during scan/deployments. Here is some information on how Protect handles credentials.
For patch scans, asset scans, power management, and to executing scripts. Shavlik Protect will attempt to authenticate to each machine using a variety of credentials and will do so using the following strategy:
- If one or more of the following are available, the credential with the highest precedence will be used. The precedence order is as follows:
a. Machine-level credentials
b. Group-level credentials (set in Machine Group)
c. Integrated Authentication (Kerberos) (the credentials set as Defaults Credentials in the Credentials Manager)
Example: If machine-level credentials are not available but group-level and default credentials are available, the program will use the group-level credentials
- If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.
If neither of these credentials work, the scans and the power management tasks will fail.
One suggestion is to make your default credentials the same as the account credentials you typically use to log on to the program. This will eliminate problems that may occur if you forget to assign credentials.
Have you thought about installing agents on these machines? Credentials aren't and issue once you have an agent installed and scan and deploy through the agent.
Thank you. Regarding the precedence order, I read in the article which I believe you quoted above that if the credential is defined, but doesn't work, it will not try the next credential in line. Perhaps I can describe my scenarios where I want this ability.
First, we check workstations that are domain members, so we would normally use a domain administrator to access these computers. But many of these are used remotely, and don't connect to the network except by VPN for long periods of time. It happens that these computers can sometimes lose the domain trust because they have been away too long, and then the domain administrator account no longer works. But a local administrator account does work. You might suggest that I only use the local administrator account, but we have multiple local administrator account passwords, depending on who setup the machine and how long it has been around.
Second, we check servers that are stand alone, and we have different local administrator account passwords depending on the platform of the machine; i.e. Windows Server 2003 or Windows 2008 Server. I don't necessarily know the platform level when initiating the scan and deploy, so I would like to try all passwords during the action. I realize there is a risk of account lockout, but that is something I can configure in policy.
Also, I do logon to the console using the same credential as my default credential.
The server example I described can be handled using multiple machine groups, but I don't have a good solution for the workstation example. Perhaps this idea is something that can be considered as a future feature.
Thank you for the detailed explanation, I do see a lot of merit in what you are looking for and I agree this is worth a feature request. I could submit the request for you, but a request directly from a customer has more weight. Let me know.
Thank you. I have submitted the new feature request: RE-2361.
Great, I know the Product Manager looks at these frequently.