PDQ Central - Multiple Domains
I'm an admin of 4 seperate networks and have my PDQ server on a maintance VLAN where I can access all 4 networks. All 4 networks have different Active Directory Domain Names and User / Password admin accounts. My question is, in theory, will this work, or does PDQ Central Feature require everyone to be on the same domain?
I don't work for PDQ and I haven't tested this but I think it should work. You can add several domains in PDQ Inventory. You would need to set up a scan user and deploy user for each domain. You can set the biggest one as the default and then you would have to adjust which scan user is used in the other three domains' computers. I think you could just build a dynamic collection for each domain and just select all > right-click > select scan user.
You might run into issues if you want to use LAPS for your scan/deploy user since I don't know if it's smart enough to pull LAPS credentials from different domains but I have not tested that.
Hopefully someone from PDQ can elaborate further.
Yup, I ended up doing exactly that and creating sub collections for each app in each domain and set the credentials accordingly. Only way to get the central to connect to the client was doing domain trust. Once that was setup I was able to get the clients to connect to central from across domains.
Also made sure my Repository was shared and had 'everyone' read permissions.
Hope it works out for anyone else doing this. I was unable to get it to work without domain trust enabled two way.
I would generally caution against allowing the "everyone" group to have permissions to anything since it allows anonymous/guest users to access files, but I don't know your environment like you do so it may be required for your use case.
It might be possible to use "Authenticated Users" instead of "Everyone" to be a little big safer, but without being able to test your unique multi-domain setup I do not know if that would work for you.
Its patches... I don't care who has access to the pdq repo. Authenticated users won't work unless its in the same domain. Other option is create an enterprise admin, but that's a huge security hole. I'll stick with what I have. I also said, read permissions, not full control. The risk is minimal if not, no risk.
Please sign in to leave a comment.