When deploying using a LAPS managed account, it would sometimes seem to be desirable that the user account which pushes files to the targets' file shares and installs/starts/removes the PDQRunner service be an account other than the LAPS managed local account. (Specifically, a domain account which can use its password to get Kerberos tickets for these services)

Are there any options for defining such an 'extra' user account which will perform only these steps, leaving just the PDQRunner service (and the processes which it creates) to run under the LAPS managed local account?

The use case for this would be deploying software/scanning within LAPS-enabled domain environments where any of the following are true:

NTLM authentication has been disabled on the targets

The Remote UAC LocalAccountTokenFilterPolicy is enabled on the targets

UNC hardening has been enabled with the 'RequireMutualAuthentication' option set for a file share needed by the deployment on the computer where PDQ Deploy/Inventory is installed

Cancel
login to comment