PDQ Credentials Explained

7/24/2018 6116 Contributors
credentials

Purpose:
You wish to understand the deeper mysteries of credentials: what they do, how they work, when they’re used, and why we have them.

Resolution:
Credentials will be covered by PDQ product.

PDQ Deploy
PDQ Deploy credentials fall under three categories and all do separate things. Here’s a simple matrix that defines the requirements for each:


PDQ Deploy Background Service

Credentials (Deploy User)

Console Users

Needs to be admin on the PDQ console

YES

NO

YES

Needs to be an admin on the target

NO

YES

NO

R/W access to the Repository/Install source

YES

YES1,2

YES1

1 While it is not required the Deploy User and Console user have read/write access to the repository and install source, and you can still deploy, you can do very little else. For example, you may not be able to download packages or create new packages if the installer files are located in the Repository or a location where those credentials do not have read/write access.
2 This is required when using Pull Copy Mode.

PDQ Deploy Background Service:
Localized Authentication
The background service is used to authenticate the credentialed user (Credentials) and Console Users to the
local PDQ installation. The background service user must have local administrative privilege on the PDQ console machine. The background service user is always a Console User. It is not required that the background service user be a local admin on the target machines.

Updates
The background service credentials should also have access to the internet (for example, if using a proxy), as the background service credentials are used to download packages from the Package Library and check for updates to PDQ itself. PDQ Deploy has a backup mechanism to access the internet using the Console User credentials in case this fails.

Repository
The background service credentials are also used to add and retrieve files from the Repository, whether the Repository is in the default location on the PDQ console machine (C:\Users\Public\Documents\Admin Arsenal\PDQ Deploy\Repository), on a UNC path, or a DFS namespace. Additionally, the background service must have read access to any installation source outside of the Repository where the Copy Mode is set to
Push (Options > Preferences > Performance). When the Copy Mode is set to Pull, each target will attempt to pull the files using the PDQ Deploy runner service, which will use the Deploy User credentials (Options > Credentials).

Interoperability/Integration
The background service is also used to connect to a local installation of PDQ Inventory. It is not required that both PDQ Deploy and PDQ Inventory use the same background service credentials.

IMPORTANT: In cases where the background service credentials are different between PDQ Deploy and PDQ Inventory, the background service credentials must be Console Users on the corresponding application.

For example, PDQ Deploy’s background service user is PDQDeploySvc and PDQ Inventory’s background service user is PDQInventorySvc. PDQDeploySvc must be a Console User in PDQ Inventory and PDQInventorySvc must be a Console User in PDQ Deploy.

PDQ Deploy Credentials (Deploy User):
Credentials (Deploy User) are the credentials used to deploy software. The Deploy User does not need to be a local admin on the PDQ console machine, but they must be a local admin on any target you wish to deploy to.

The Deploy User uses the background service on the PDQ Deploy console to download the installation files to the target computer’s target directory, which defaults to (%WINDIR%\AdminArsenal\PDQDeployRunner\service-n\exec).

By default, the Deploy User also runs the remote runner service on the target computer. The remote runner service is responsible for the deployment of the package on the target computer. However, there are situations where the Deploy User does not run the remote runner service on the target computer. For example, when using Logged on User for the package’s Run As (step Options tab) or when using the option, "Use PDQ Inventory Scan User credentials first, when available" in a Schedule (Options tab) or a Deploy Once window (Options tab).

In the case of Logged on User, we use impersonation to run the deployment as the user currently logged on to the machine.

When using Pull Copy Mode (Options > Performance), the Deploy User credentials are used to authenticate on the UNC share from the target machine. In this case, read/write access to the Repository is required for the Deploy User.

PDQ Deploy Console Users:
Console Users are the users that can access and use the PDQ console. Console Users must have local administrative privileges on the PDQ console computer. 

When operating in Central Server, the PDQ console running as the server must list the users using the PDQ console(s) running in client mode in the Console Users. Those Console Users must also be local admins on the PDQ console(s) running in client mode.

Reminder: in Central Server, every running console (server or client) counts toward the total number of concurrent connections.

PDQ Inventory
Like PDQ Deploy, credentials also fall under three categories and all do separate things. Here’s the matrix that defines the requirements for each:


Background Service

Credentials (Scan User)

Console Users

Needs to be admin on the PDQ console

YES

NO

YES

Needs to be an admin on the target

NO

YES

NO


PDQ Inventory Background Service:

Localized Authentication
The background service is used to authenticate the credentialed user (Credentials) and Console Users to the local PDQ installation. The background service user must have local administrative privilege on the PDQ console machine. The background service user is always a Console User. It is not required that the background service user be a local admin on the
target machines.

Updates
The background service credentials also must have access to the internet (for example, if using a proxy), as the background service credentials are used to download collections from the Collection Library, tools from the Tools Library, and check/download program updates. PDQ Inventory has a backup mechanism to access the internet using the Console User credentials in case this fails.

Interoperability/Integration
The background service is also used to connect to a local installation of PDQ Deploy. It is not required that both PDQ Inventory and PDQ Deploy use the same background service credentials.

IMPORTANT: In cases where the background service credentials are different between PDQ Inventory and PDQ Deploy, the background service credentials must be Console Users on the corresponding application.

For example, PDQ Inventory’s background service user is PDQInventorySvc and PDQ Deploy’s background service user is PDQDeploySvc. PDQInventorySvc must be a Console User in PDQ Deploy and PDQDeploySvc must be a Console User in PDQ Inventory.

PDQ Inventory Credentials (Scan User):
Credentials (Scan User) are the credentials used to scan targets. Scan Users do not need to be a local admins on the PDQ console machine, but they do need to be a local admin on any target you wish to scan.

The PDQ Inventory background service calls the Scan User to copy the files used to scan the target machine to the target directory, which defaults to (%WINDIR%\AdminArsenal\PDQInventory-Scanner\service-n\exec).

By default, the Scan User runs the remote scanner service (PDQInventory-Scanner-n) on the target computer as Local System. The remote scanner service is responsible for all scanning tasks on the target computer.

In PDQ Deploy, the Scan User credentials are used to perform the deployment when the option, "Use PDQ Inventory Scan User credentials first, when available" is selected in either a Schedule (Options tab) or a Deploy Once window (Options tab).

PDQ Inventory Console Users:
Console Users are the users that can access and use the PDQ console. Console Users must have local administrative privileges on the PDQ console computer. 

When operating in Central Server, the PDQ console running as the server must list the users using the PDQ console(s) running in client mode in the Console Users. Those Console Users must also be local admins on the PDQ console(s) running in client mode.

Reminder: in Central Server, every running console (server or client) counts toward the total number of concurrent connections.