Workflow advice for developing OS deployment
Hi I'm looking to develop workflow for an automated OS deployment. One rule I must follow is the concept of least privilege if no domain rights are needed for the current step they are not to be used. Our image is as thin as possible and we have a dedicated imaging suite. This applies the OS image and joins the domain via answer file. The suite also includes device drivers for the current hardware being deployed to. All of our agency used software we have in pdq packages. We use Active Directory to deploy group policy. We utilize LAPS and our PDQ inventory default scan user is LAPS. First thing first. I could do all I want to do via deployments and schedules deploying with domain admin creds. I can not do this as the one rule I must follow is least privilege. So I have a fresh computer on domain. Tasks needing to be completed from here. Install needed software, inventory computer, do needed AD tasks. Anything that does not need domain access is to be done with LAPS. Anything that needs domain access can be done with admin access. AD tasks need to be done and RSAT/ powershell AD module is not present on the freshly imaged computer. The PDQ server does have access via RSAT and import AD module. I need to automate the process. Issues I've run into are: One large package with everything needed as nested packages - least privilege is not observed (not sure if setup properly to change creds from step to step, package to package or not possible), Dynamic collections with heartbeat deployments - not reliable to initiate LAPS install and then have inventory scan properly via LAPS to get info for memberships (chicken egg issues). Current thinking is schedules linked to OU's and move the computer object through staged deployment OU's. Not overly pleased with this thinking but with solid divisions in access rights needed best way I can think of to divide creds used.
Over all any input is welcome but least privilege must be observed.
Comments
This is how I do things
I have my standard image - most of the company uses this.
Then after I join the computers to the domain I drag them to a specific OU.
In PDQ Deploy, I have schedules setup that are linked to PDQ Inventory if computer is part of this OU and they are missing let's say "anti-virus" or "finance application". Automatically Deploy it with heartbeat feature.