PDQ Credentials Explained

Purpose:

You wish to understand the deeper mysteries of credentials: what they do, how they work, when they’re used, and why we have them.

Resolution:

This guide covers the accounts and required permissions for use with PDQ Deploy and PDQ Inventory. 

Disclaimer: Deploying to or scanning a Domain Controller will require that the Deploy / Scan User account be a Domain Administrator. In the event that deploying packages to or scanning a Domain Controller is required, it is recommended to add the Deploy / Scan User as a secondary set of credentials and only assigning that account to the specific targets that require it. The following Knowledge Base article explains how to configure and use multiple credentials in PDQ Deploy and PDQ Inventory.

Adding and Using Multiple Credentials in PDQ

 

PDQ Deploy Credentials

PDQ Deploy credentials fall under three categories and all do separate things. It is recommended to keep your Background Service User, your Deploy User, and your Console Users as separate accounts. Here’s a simple matrix that defines the requirements for each:

 

PDQ Deploy Background Service

Credentials (Deploy User)

Console Users

Needs to be admin on the PDQ console

YES

NO

YES

Needs to be an admin on the target

NO

YES

NO

R/W access to the Repository/Install source

YES

YES1,2

YES1

1 While it is not required the Deploy User and Console user have read/write access to the repository and install source, and you can still deploy, you can do very little else. For example, you may not be able to download packages or create new packages if the installer files are located in the Repository or a location where those credentials do not have read/write access.
2 This is required when using Pull Copy Mode.

PDQ Deploy Background Service:

Localized Authentication

The background service is used to authenticate the credentialed user (Credentials) and Console Users to the local PDQ installation. The background service user must have local administrative privilege on the PDQ console machine. The background service user is always a Console User. It is not required that the background service user be a local admin on the target machines.

Updates

The background service credentials should also have access to the internet (for example, if using a proxy), as the background service credentials are used to download packages from the Package Library and check for updates to PDQ itself. PDQ Deploy has a backup mechanism to access the internet using the Console User credentials in case this fails.

Repository

The background service credentials are also used to add and retrieve files from the Repository, whether the Repository is in the default location on the PDQ console machine (C:\Users\Public\Documents\Admin Arsenal\PDQ Deploy\Repository), on a UNC path, or a DFS namespace. Additionally, the background service must have read access to any installation source outside of the Repository where the Copy Mode is set to Push (Options > Preferences > Performance). When the Copy Mode is set to Pull, each target will attempt to pull the files using the PDQ Deploy runner service, which will use the Deploy User credentials (Options > Credentials).

Interoperability / Integration

The background service is also used to connect to a local installation of PDQ Inventory. It is not required that both PDQ Deploy and PDQ Inventory use the same background service credentials.

IMPORTANT: In cases where the background service credentials are different between PDQ Deploy and PDQ Inventory, the background service credentials must be Console Users on the corresponding application.

For example, PDQ Deploy’s background service user is PDQDeploySvc and PDQ Inventory’s background service user is PDQInventorySvc. PDQDeploySvc must be a Console User in PDQ Inventory and PDQInventorySvc must be a Console User in PDQ Deploy.

PDQ Deploy Credentials (Deploy User):

Credentials (Deploy User) are the credentials used to deploy software. The Deploy User does not need to be a local admin on the PDQ console machine, but they must be a local admin on any target you wish to deploy to.

The Deploy User uses the background service on the PDQ Deploy console to download the installation files to the target computer’s target directory, which defaults to (%WINDIR%\AdminArsenal\PDQDeployRunner\service-n\exec).

By default, the Deploy User also runs the remote runner service on the target computer. The remote runner service is responsible for the deployment of the package on the target computer. However, there are situations where the Deploy User does not run the remote runner service on the target computer. For example, when using Logged on User for the package’s Run As (step Options tab) or when using the option, "Use PDQ Inventory Scan User credentials first, when available" in a Schedule (Options tab) or a Deploy Once window (Options tab).

In the case of Logged on User, we use impersonation to run the deployment as the user currently logged on to the machine.

When using Pull Copy Mode (Options > Performance), the Deploy User credentials are used to authenticate on the UNC share from the target machine. In this case, read/write access to the Repository is required for the Deploy User.

PDQ Deploy Console Users:

Console Users are the users that can access and use the PDQ console. Console Users must have local administrative privileges on the PDQ console computer. 

When operating in Central Server, the PDQ console running as the server must list the users using the PDQ console(s) running in client mode in the Console Users. Those Console Users must also be local admins on the PDQ console(s) running in client mode.

Reminder: in Central Server, every running console (server or client) counts toward the total number of concurrent connections.

 

PDQ Inventory Credentials

Like PDQ Deploy, credentials also fall under three categories and all do separate things. It is recommended to keep your Background Service, Scan User, and Console Users as separate accounts. Here’s a simple matrix that defines the requirements for each:

 

Background Service

Credentials (Scan User)

Console Users

Needs to be admin on the PDQ console

YES

NO

YES

Needs to be an admin on the target

NO

YES

NO


PDQ Inventory Background Service:

Localized Authentication

The background service is used to authenticate the credentialed user (Credentials) and Console Users to the local PDQ installation. The background service user must have local administrative privilege on the PDQ console machine. The background service user is always a Console User. It is not required that the background service user be a local admin on the target machines.

Updates

The background service credentials also must have access to the internet (for example, if using a proxy), as the background service credentials are used to download collections from the Collection Library, tools from the Tools Library, and check/download program updates. PDQ Inventory has a backup mechanism to access the internet using the Console User credentials in case this fails.

Interoperability / Integration

The background service is also used to connect to a local installation of PDQ Deploy. It is not required that both PDQ Inventory and PDQ Deploy use the same background service credentials.

IMPORTANT: In cases where the background service credentials are different between PDQ Inventory and PDQ Deploy, the background service credentials must be Console Users on the corresponding application.

For example, PDQ Inventory’s background service user is PDQInventorySvc and PDQ Deploy’s background service user is PDQDeploySvc. PDQInventorySvc must be a Console User in PDQ Deploy and PDQDeploySvc must be a Console User in PDQ Inventory.

PDQ Inventory Credentials (Scan User):

Credentials (Scan User) are the credentials used to scan targets. Scan Users do not need to be a local admins on the PDQ console machine, but they do need to be a local admin on any target you wish to scan.

The PDQ Inventory background service calls the Scan User to copy the files used to scan the target machine to the target directory, which defaults to (%WINDIR%\AdminArsenal\PDQInventory-Scanner\service-n\exec).

By default, the Scan User runs the remote scanner service (PDQInventory-Scanner-n) on the target computer as Local System. The remote scanner service is responsible for all scanning tasks on the target computer.

In PDQ Deploy, the Scan User credentials are used to perform the deployment when the option, "Use PDQ Inventory Scan User credentials first, when available" is selected in either a Schedule (Options tab) or a Deploy Once window (Options tab).

PDQ Inventory Console Users:

Console Users are the users that can access and use the PDQ console. Console Users must have local administrative privileges on the PDQ console computer. 

When operating in Central Server, the PDQ console running as the server must list the users using the PDQ console(s) running in client mode in the Console Users. Those Console Users must also be local admins on the PDQ console(s) running in client mode.

Reminder: in Central Server, every running console (server or client) counts toward the total number of concurrent connections.

 

See Also

Article - Adding and Using Multiple Credentials in PDQ

Still have a question or want to share what you have learned? Visit our Community to get help and collaborate with others.