KACE Desktop Authority 11.0 - ExpertAssist 8.7.1 User Guide

User Guide
Copyright TOC Overview User Interface Home Remote Control File Transfer Help Desk Chat Computer Management Computer Settings Server Functions Scheduling and Alerts Performance Monitoring Security Preferences Custom Pages WAP and PDA Interface About Us

Telnet Connections

Telnet Connections

Selecting this option will display all current Telnet connections currently being served by ExpertAssist. This includes the connections opened via the built-in Command Prompt telnet client as well as those that are served by built-in Telnet Server and opened using some standalone telnet client. It will display the IP address of the connected client, the connection protocol, and the name of the Windows user established the connection. This will be the user whose credentials were used by a remote client to authenticate within ExpertAssist. You can also see the time the connection has been started on, emulation type, console window size (if applicable), and when will the session recovery timeout expire (if applicable).

Additionally, you can terminate the established connection. Clicking the red button in the Lose column will disconnect the client but leave the session open until the session recovery timeout expires.

You can kill the connection by terminating the connection session if you click the red button in the Kill column.

Installed Applications

Installed Applications

Typically, you can view applications installed on a remote computer using the Add or Remove Programs. However, this requires you choose Start|Control Panel|Add or Remove Programs right on the remote computer or press <Windows Logo> + <R>, type appwiz.cpl and press <Enter>. Whilst you can do that from the Remote Control applet, it is much easier to do that from the Installed Application page. It will save your traffic, and allow you export the retrieved list of all the applications, hotfixes, service packs to your local computer right from the browser. If some of the applications installed on the remote computer is failing, you can review the list and locate the faulting one.

To remove the application:

  1. If necessary, you can remove the application by copying the string present in the Uninstall String for the application. This string is only displayed if supported by the application itself.
  2. To uninstall the application, open the Command Prompt page under the Computer Management object, paste the copied string and hit <Enter>.

Please note that Command Prompt runs applications non-interactively (technically, in another Window Station).

When uninstalling applications by executing the uninstall string in the Command Prompt window, make sure to use switches that will force the uninstall to run quietly without requiring remote user input. Use /quiet switch when executing the spuninst.exe: “C:\Windows\$NtUninstallKBXXXX$\spuninst\spuninst.exe” /quiet

Alternatively,

  1. You can write a custom PowerShell script that will execute the uninstall script. For example, suppose that you have to uninstall a KBXXXXX update that has the following in the Uninstall Script:

    C:\Windows\$NtUninstallKBXXXX$\spuninst\spuninst.exe

  2. Copy this string from the page. Now you can write the following single-line script and execute it with ExpertAssist:

    & env:windir\`$NtUninstallKBXXXX`$\spuninst\spuninst.exe

  3. Executing this will automatically run the Software Update Removal wizard on the remote computer.

    Note: Use escape sequences to enable PowerShell correctly handle special symbols like dollar sign ($). Use the backwards apostrophe (`).

    Please refer to Scripts to find out more about PowerShell scripting functionality integrated into the ExpertAssist.

Manipulating installed applications from the page is even easier that doing so from the Control Panel applet. For example, simply hovering your mouse over the row with a particular application in the list will display support information for the application-something that would usually require you clicking the link.

Security

Security

The pages items under Security object allow you access to ExpertAssist’s various enhanced security features.

Access Control

Access Control

Here you can control who has access to Quest ExpertAssist.

The upper portion of this page lists users already granted access to Quest ExpertAssist (if any).

The Add button lets you specify a Windows user or group, and their permissions within the Quest ExpertAssist.

The red Delete button next to each entry in the list will remove that user or group from the access list.

The following list details the options available for an entry in the permission list.

Table 6: Permission list options.

Permission

Type*

Description

Login

[R]

Anyone with any sort of access to Quest ExpertAssist is implicitly granted Login  access. This allows for looking at the Home page, viewing the expiration date of your password on the Security > Windows Password and logging out. This is a basic permission. Users who do not have this permission cannot log in and will not be able to use other permissions should they have it assigned to them.

Configuration

[R][W][D]

Users have access to Server Functions > FTP capabilities, Performance Monitoring > Telnet Connections, Security > IP configurations and Access Control, and Preferences object.  Keep this in mind this grants users access control to modifying user permissions in Quest ExpertAssist.

Scripts

[R][W][D]

Users can execute, create, change or delete scripts on Scheduling & Alerts > Scripting. Users should have appropriate permissions on a remote machine to be able to create, change, or delete scripts.
 

Event Viewer

[R][D]

Allows the use of the Event Viewer page under Computer Management.

File System

[R][W][D]

Allows the use of the File Transfer object, Computer Management > File Manager, Computer Settings > Shared Resources, and Security > EA Logs. Users should have appropriate permissions on a remote machine to be able to copy, modify files to remote machine, and view shared resources.

Registry

[R][W][D]

Allows for editing and compacting of the registry under Computer Management, and viewing Performance Monitoring > Installed Applications.

Performance Data

[R]

Ability to view performance and system information data under Performance Monitoring.

Processes

[R][W][D]

Allows you view processes, service and drivers, on a remote computer, change their settings and statuses in Computer Management object. Allows create and manage tasks via Scheduling & Alerts > Task Scheduler. Users can also view open files, registry keys, TCP/IP ports, and DLLs in use on the remote computer.

Reboot

[W]

Allows rebooting the computer and restarting the ExpertAssist service on the Computer Management > Reboot page.

Remote Control

[R][W][D]

Allows use of the Java-based Remote Control. You can also talk to interactive user via Help Desk Chat.

User/Group Accounts

[R][W][D]

Allows the use of the User Manager page found under the Computer Management object. Users should have appropriate permissions on the remote computer to be able to create and modify local users and groups.

System Configuration

[R][W][D]

Allows the user to view and change environment variables, set virtual memory settings and time, enable automatic logon via Computer Settings object. Provides access to Server Functions > Active Directory page and allows you view network and drive partition info pages using the Performance Monitoring object.

Users should have appropriate permissions on the remote computer. The user should be registered with Active Directory to be able to use Active Directory page features.

Telnet (EA Client)

[R]

Allows the user to use the ExpertAssist built-in proprietary secured telnet client found on Server Functions > Command Prompt page.
 

Telnet

[R]

Allows access to the machine via Telnet using any standalone terminal emulator.
 

Full Control

Adds all possible permissions to a user. It is recommended to have at least one account that has Full Control capabilities.  

Force “Personal Edition” Interface Enable users to get the user interface of EA Personal Edition when logged on. The interface provides access to a limited set of features. Though any EA feature can still be used by referring to it with its URL. The setting does not affect the Administrator-level users.

IP Filter

Assign an IP filter profile to the user, and specify which IP addresses can or cannot be connected from.
 

*
[R]     Read Access
[W]    Write (Update) Access
[D]     Delete (Remove) Access

You can select individual permissions, or specify Full Control.

You can also restrict the user to an IP address or a network by creating an IP Filter on the IP Filtering page under the Security object.

You can also restrict a certain user to an IP address or an IP address range. Please remember that access rights are cumulative: if Group X has full access to Quest ExpertAssist and is not bound to an IP address and User Z is a member of that group, he will always have full access, even if you bind him to a specific IP address or network. To allow a user or group access from two or more IP addresses or networks, simply grant them the same permissions several times, but with different IP restrictions.

Access rights are cumulative. That is, if Group A has access to the Event Viewer, and Group B has access to the File Manager, a user who is a member of both groups will have access to both modules.

If the machine is a domain controller, the user accounts and groups that appear are listed from its domain. If the computer is not a domain controller, local users and groups are displayed. You can specify where to list accounts from by typing the name of the domain or the computer in the input field and clicking the List accounts button.

Access rights are stored under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\DesktopAuthority\V5\Permissions\ in binary form. This data is basically stored in a particular key with the name of the Security Identifiers (SIDs) of the groups or users. The particular key contains registry parameters that define the access mask associated with SID, and the specific IP Filter applied. Each created IP Filter and its IP address restrictions are stored under the HKEY_LOCAL_MACHINE\SOFTWARE\DesktopAuthority\V5\IPFilter\Profiles\. By default, any data under the HKEY_LOCAL_MACHINE\SOFTWARE\ key can only be changed by Administrators, PowerUsers, or the SYSTEM account.

There are a few options on the lower part of the Access Control page. Here you can enable or disable the following features:

Allow full control to administrators

This is enabled by default. It adds Full Control permission to all administrators of the computer. If you turn it off, only users explicitly granted permission to use Quest ExpertAssist will have access.

NT LAN Manager authentication

Enable/Disable NTLM authentication. For those of you concerned about security, Quest ExpertAssist supports the Windows Challenge/Response type authentication. You must use Internet Explorer to take advantage of this feature. You need not worry about exposing your password to eavesdroppers if you are using HTTPS to secure all communications between your browser and Quest ExpertAssist.

Save user name in a cookie

Finally, you can configure Quest ExpertAssist to remember your user name in a cookie.

Any Access Control permissions set locally on a workstation will be overwritten by the permissions specified in the Remote Control tab of the Desktop Authority Manager.

Configuration Permissions and Registry Permission

Special care needs to be taken with a few of the above options. Users with access to Security > Access Control page (Configuration permission) and Computer Management > Registry Editor page (Registry permission) can also access and change the Quest ExpertAssist configuration data, including users’ permissions. However, the Registry permission can be considered safe, since the administrator can change permissions on the HKLM\Software\DesktopAuthority key and protect it from unwanted access. Users who can Create/Edit Scripts can also create programs in the Small language that run on the remote computer. These scripts will be run under the account of the person starting the script from the Scripting page – except when a Small program is called from the system monitoring script. In this case, the program is run under the LocalSystem account.

Reboot Permissions, Remote Control Permissions, Processes Permissions

With the exception of the objects and pages that the user is given access within the Quest ExpertAssist by applying Reboot, Remote Control and Processes permissions to them, user’s Windows account permissions is used by Quest ExpertAssist on the remote computer. For example, you can grant someone access to the File Manager page within the Quest ExpertAssist, but they will only be able to access files and directories their Windows user account has permissions to on the remote computer. The same goes for the Registry Editor, User Manager, etc.

The above exception for objects and pages that can be accessed having the Reboot, Remote Control and Processes permissions applied within Quest ExpertAssist is made to provide you maximum control over your system. The Quest ExpertAssist uses the all-powerful LocalSystem account to perform the tasks via these objects and pages. For example, not even an Administrator has sufficient rights to terminate a service process - but with Quest ExpertAssist performing this action under the LocalSystem account, any process can be terminated. Remote Control is another exception. When you are remotely controlling the system with Quest ExpertAssist, you have access to the mouse and the keyboard of the system. If nobody is logged on interactively, you will need to use the Windows logon screen to gain access to the desktop, typing in a username or password, possibly different than the one you are accessing Quest ExpertAssist with. If there is a user logged on to the host computer, you will be working under this user account.

Related Documents