none
Why does the BHOLD Core installer need Domain Admin privs?

    问题

  • All,

    I was installing BHOLD this weekend in my lab, and I was a bit surprised that the BHOLD Core module needs to be installed by a Domain Admin level account.  

    If we pre-create the Service account with the proper SPN, and the needed groups, as well as set that account to logon as a service on the target server, what else is going on that would require Domain Admin during setup?  

    On my first read through, I thought the BHOLD account itself needed Domain Admin to function, which seemed quite wide a role, but on re-reading it's only the account for which you are installing with.  

    I'm following the directions as per the technet link here:  http://technet.microsoft.com/en-us/library/jj134095(v=ws.10)

    I wanted to make sure that the BHOLD account itself had no reliance on being Domain Admin to function, especially if it's being used as the AppPool Identity.

    Thanks,

    Jef


    ----- http://jeftek.com

    2012年6月3日 21:04

全部回复

  • I have installed the suite and it is running using the service account, and that service account is a regular account that does not have any other memberships as far as i could see.



    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    2012年6月4日 6:48
  • This is a great question and I just posted the same question before I saw yours, sort of.  You are asking if the service account needs domain admins to run the service.  I am asking why the install needs domain admins at all.  What is this install changing or what does it need access to in the domain that only a domain admin has access to?  I really hope someone from the product knows the answer.


    Paul N Smith

    2012年6月4日 23:58
  • The Bhold Account (default b1user) don't need to be a Domain Admin (or related) to function properly. This b1user account only needs the IIS_IUSRS group since this Bhold Account (b1user) will also be use for the application pool and the BholdApplicationGroup (this group will be used in MSSQL for granting access to database-objects)
    2012年6月7日 11:50
  • I think the question is why does the user account "installing" needs to be domain admin, in other words what does the installer configure on behalf off the installing user.

    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    2012年6月7日 11:53
  • Ok, I did not understand it properly then....

    There are several things which are done during installation (as far as I can remember)

    - creating database
    - putting rights on the install folders
    - putting rights on the registry folder
    - creating the bhold website
    - installing the b1service
    - it will create a RSA container (aspnet_regiis -pc ....)

    2012年6月7日 12:05
  • Thanks that makes more sense

    Need realtime FIM synchronization and advanced reporting? check out the new http://www.imsequencer.com that supports FIM 2010, Omada Identity Manager, SQL, File, AD or Powershell real time synchronization!

    2012年6月7日 12:49
  • Ok, I did not understand it properly then....

    There are several things which are done during installation (as far as I can remember)

    - creating database
    - putting rights on the install folders
    - putting rights on the registry folder
    - creating the bhold website
    - installing the b1service
    - it will create a RSA container (aspnet_regiis -pc ....)

    What is the RSA container? Is that an OU in AD that is created during the install?  Doesnt sound like it.  in any case none of those items require a domain admin.  I'd give real money if the product team would just answer the question.

    Paul N Smith

    2012年6月7日 13:28
  • in fact it is a certificate for encrypting data in the web.config file (mainly).

    It also is available in your code, if you have the proper rights(manageable), where you can use it for encrypting other types of data. It is - for example  -  also used to encrypt sensitive data in the registry (passwords), and on several other places...

    you can find more information here: http://msdn.microsoft.com/en-us/library/53tyfkaw

    So this means that it isn't a OU in AD nor an OU in Bhold (of course there is 1 OU created by default, the root OU, but this OU has nothing to do with RSA).

    2012年6月7日 13:40
  • Some changes have been made to the BHOLD Core installer that requires the need to be a domain administrator. Some checks are performed (like the prerequisites) during the installation.

    The 'old' version of the BHOLD Core did not require you to be a domain admin, so  you can assume that these new 'checks' carried out by the installer require these access rights - or the REAL required access rights have not been researched yet so domain admin rights are advised to be on the safe side.


    Remy de Vries Technical Consultant Elephant Security

    2012年7月17日 19:55
  • I am looking for a concrete answer on the need for the user to be a member of domain admin group to install BHOLD Core module. I have searched Microsoft documentation in technet, the membership under domain admin group is given as a pre-requisite without any explanation or reasoning. If I need to install only BHOLD Core and BHOLD Model Generator, do I still have to login as a member of domain admin group? Could someone point me to the source pls?

    12 小时 55 分钟以前