Web Filter\Firewall showing PDQ Deploy and\or PDQ Inventory user as currently logged in

Purpose

The PDQ Deploy user or PDQ Inventory scan user is showing as the currently logged on user on a computer.

Resolution

When PDQ Deploy\Inventory runs a deployment\scan on a computer, it will do a network logon to it and create a temporary service to run the process. This temporary service, if it's run with a domain account, it will authenticate to a domain controller and create a logon event from the computer, since the account logs on as a service.

Once the deployment\scan is finished, there is a cleanup process that deletes the temporary service and logs out of the computers.

Most web filters\firewalls that integrate with Active Directory, determine who is logged onto a computer by looking at the logon events on the domain controllers. Unfortunately, they don't take logout events into consideration, this means the latest logon event superseded the previous ones.

To resolve this, you will need to look at your web filters\firewalls Active Directory integration settings to specify "service accounts" to exclude from the logged-on user to computer mapping. This will prevent the PDQ Deploy\Inventory user logon event from superseding the end-user logon event.

Exclude AD Service Account Barracuda

Exclude AD Service Account Palo Alto

Exclude AD Service Account Cisco Umbrella

Exclude AD Service Account Sophos

How It Works: PDQ Deploy

Microsoft Windows Service Logon Events

Microsoft Windows Logon ID Events

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.