Purpose
You wish to understand the deeper mysteries of credentials: what they do, how they work, when they're used, and why we have them.
Resolution
This guide covers the accounts and required permissions for use with PDQ Deploy and PDQ Inventory.
Disclaimer: Deploying to or scanning a Domain Controller will require that the Deploy / Scan User account be a Domain Administrator. In the event that deploying packages to or scanning a Domain Controller is required, it is recommended to add the Deploy / Scan User as a secondary set of credentials and only assigning that account to the specific targets that require it. The following Knowledge Base article explains how to configure and use multiple credentials in PDQ Deploy and PDQ Inventory.
Adding and Using Multiple Credentials in PDQ Deploy & Inventory
There are many known vulnerabilities in how Microsoft uses and stores credentials in Windows, both in active memory and as service account Run As credentials. A variety of malware tools, including Mimikatz, take advantage of this inherent vulnerability in Windows in a manner that might allow a threat actor to steal credentials and move laterally within your network. For this reason, PDQ recommends respecting the principle of least privilege, and making use of technologies such as LAPS to prevent the lateral compromise of your network in the event that a single managed computer is compromised. For more information, see PDQ Deploy & Inventory on Security.
PDQ Deploy Credentials
PDQ Deploy credentials fall under three categories and all do separate things. It is recommended to keep your Background Service User, your Deploy User, and your Console Users as separate accounts. Here's a simple matrix that defines the requirements for each:
PDQ Deploy Background Service |
Credentials (Deploy User) |
Console Users |
|
Needs to be admin on the PDQ console |
YES |
NO |
YES |
Needs to be an admin on the target |
NO |
YES |
NO |
R/W access to the Repository/Install source |
YES |
YES1,2 |
YES1 |
1 While it is not required the Deploy User and Console user have read/write access to the repository and install source, and you can still deploy, you can do very little else. For example, you may not be able to download packages or create new packages if the installer files are located in the Repository or a location where those credentials do not have read/write access.
2 This is required when using Pull Copy Mode.
PDQ Deploy Background Service
Localized Authentication
The background service is used to authenticate the credentialed user (Credentials) and Console Users to the local PDQ installation. The background service user must have local administrative privilege on the PDQ console machine. The background service user is always a Console User. It is not required that the background service user be a local admin on the target machines.
Updates
The background service credentials should also have access to the internet (for example, if using a proxy), as the background service credentials are used to download packages from the Package Library and check for updates to PDQ itself. PDQ Deploy has a backup mechanism to access the internet using the Console User credentials in case this fails.
Repository
The background service credentials are also used to add and retrieve files from the Repository, whether the Repository is in the default location on the PDQ console machine (C:\Users\Public\Documents\Admin Arsenal\PDQ Deploy\Repository), on a UNC path, or a DFS namespace. Additionally, the background service must have read access to any installation source outside of the Repository where the Copy Mode is set to Push (Options > Preferences > Performance). When the Copy Mode is set to Pull, each target will attempt to pull the files using the PDQ Deploy runner service, which will use the Deploy User credentials (Options > Credentials).
Interoperability / Integration
The background service is also used to connect to a local installation of PDQ Inventory. It is not required that both PDQ Deploy and PDQ Inventory use the same background service credentials.
IMPORTANT: In cases where the background service credentials are different between PDQ Deploy and PDQ Inventory, the background service credentials must be Console Users on the corresponding application.
For example, PDQ Deploy's background service user is PDQDeploySvc and PDQ Inventory's background service user is PDQInventorySvc. PDQDeploySvc must be a Console User in PDQ Inventory and PDQInventorySvc must be a Console User in PDQ Deploy.
PDQ Deploy Credentials (Deploy User)
Credentials (Deploy User) are the credentials used to deploy software. The Deploy User does not need to be a local admin on the PDQ console machine, but they must be a local admin on any target you wish to deploy to.
The Deploy User uses the background service on the PDQ Deploy console to download the installation files to the target computer's target directory, which defaults to (%WINDIR%\AdminArsenal\PDQDeployRunner\service-n\exec).
By default, the Deploy User also runs the remote runner service on the target computer. The remote runner service is responsible for the deployment of the package on the target computer. However, there are situations where the Deploy User does not run the remote runner service on the target computer. For example, when using Logged on User for the package's Run As (step Options tab) or when using the option, "Use PDQ Inventory Scan User credentials first, when available" in a Schedule (Options tab) or a Deploy Once window (Options tab).
In the case of Logged on User, we use impersonation to run the deployment as the user currently logged on to the machine.
When using Pull Copy Mode (Options > Performance), the Deploy User credentials are used to authenticate on the UNC share from the target machine. In this case, read/write access to the Repository is required for the Deploy User.
For the most secure configuration, PDQ recommends the use of LAPS. Do not use a domain administrator account for the Deploy User unless you need to perform deployments to a domain controller - and do not make use of this account except for deployments which require it. See this article for details on using multiple credentials.
PDQ Deploy Console Users
Console Users are the users that can access and use the PDQ console. Console Users must have local administrative privileges on the PDQ console computer.
When operating in Central Server, the PDQ console running as the server must list the users using the PDQ console(s) running in client mode in the Console Users. Those Console Users must also be local admins on the PDQ console(s) running in client mode.
Reminder: in Central Server, every running console (server or client) counts toward the total number of concurrent connections.
PDQ Inventory Credentials
Like PDQ Deploy, credentials also fall under three categories and all do separate things. It is recommended to keep your Background Service, Scan User, and Console Users as separate accounts. Here's a simple matrix that defines the requirements for each:
Background Service |
Credentials (Scan User) |
Console Users |
|
Needs to be admin on the PDQ console |
YES |
NO |
YES |
Needs to be an admin on the target |
NO |
YES |
NO |
PDQ Inventory Background Service
Localized Authentication
The background service is used to authenticate the credentialed user (Credentials) and Console Users to the local PDQ installation. The background service user must have local administrative privilege on the PDQ console machine. The background service user is always a Console User. It is not required that the background service user be a local admin on the target machines.
Updates
The background service credentials also must have access to the internet (for example, if using a proxy), as the background service credentials are used to download collections from the Collection Library, tools from the Tools Library, and check/download program updates. PDQ Inventory has a backup mechanism to access the internet using the Console User credentials in case this fails.
Interoperability / Integration
The background service is also used to connect to a local installation of PDQ Deploy. It is not required that both PDQ Inventory and PDQ Deploy use the same background service credentials.
IMPORTANT: In cases where the background service credentials are different between PDQ Inventory and PDQ Deploy, the background service credentials must be Console Users on the corresponding application.
For example, PDQ Inventory's background service user is PDQInventorySvc and PDQ Deploy's background service user is PDQDeploySvc. PDQInventorySvc must be a Console User in PDQ Deploy and PDQDeploySvc must be a Console User in PDQ Inventory.
PDQ Inventory Credentials (Scan User)
Credentials (Scan User) are the credentials used to scan targets. Scan Users do not need to be a local admins on the PDQ console machine, but they do need to be a local admin on any target you wish to scan.
The PDQ Inventory background service calls the Scan User to copy the files used to scan the target machine to the target directory, which defaults to (%WINDIR%\AdminArsenal\PDQInventory-Scanner\service-n\exec).
By default, the Scan User runs the remote scanner service (PDQInventory-Scanner-n) on the target computer as Local System. The remote scanner service is responsible for all scanning tasks on the target computer.
In PDQ Deploy, the Scan User credentials are used to perform the deployment when the option, "Use PDQ Inventory Scan User credentials first, when available" is selected in either a Schedule (Options tab) or a Deploy Once window (Options tab).
For the most secure configuration, PDQ recommends the use of LAPS. Do not use a domain administrator account for the Scan User unless you need to perform scans upon a domain controller - and do not make use of this account except for scans which require it. See this article for details on using multiple credentials.
PDQ Inventory Console Users
Console Users are the users that can access and use the PDQ console. Console Users must have local administrative privileges on the PDQ console computer.
When operating in Central Server, the PDQ console running as the server must list the users using the PDQ console(s) running in client mode in the Console Users. Those Console Users must also be local admins on the PDQ console(s) running in client mode.
Reminder: in Central Server, every running console (server or client) counts toward the total number of concurrent connections.
See Also
Article - Adding and Using Multiple Credentials in PDQ Deploy & Inventory