So I've been testing out PDQ Deploy in our Windows AD environment where we use a domain to deploy apps remotely to windows machines (7 & 10) on AD. Whenever we try to use a local admin account on remote machine on AD it gives an access denied error. The solution is to disable Remote UAC via the LocalAccountTokenFilterPolicy registry key on remote machines (https://support.adminarsenal.com/hc/en-us/articles/220533007). This would have to be the case with machines that are not on AD.
We're in the process of getting a license for PDQ and setup PDQ on it's on Windows 2012 server, however the sys admins and network security team are concerned. The sys admins prefer NOT to use a domain account but instead a managed service account with no admin rights to remote machines. In addition, they would want LAPS to be used in addition, which makes sense.
I believe LAPS can only be used on local accounts and not on a domain account. So if we were to use LAPS on a local admin account for deploying app via PDQ Deploy, wouldn't it require Remote UAC to be disabled on all remote machines? This ofcourse is where network security gets concerned. Any guidance is really appreciated, thanks!
Please sign in to leave a comment.