Manage computers via domain account vs. local account?

jondowd
New Contributor II

As mentioned earlier, I'm new... forgive me asking the obvious or already-answered. I believe the QuickAdd utility creates a local account (possibly hidden) on the machines. This account is used for Casper's management, package deployment, recon and remote control, correct? My boss has security concerns and wants me to ask if all of this can be done from a doman (Active Directory) account, rather than the local account that QuickAdd creates? Thanks.

2 REPLIES 2

talkingmoose
Moderator
Moderator

I wouldn't advise it. A local account means you won't be dependent on network connectivity or connectivity to your Active Directory infrastructure. For example, if the time is off by more than five minutes then your account can't log in and you can't correct the time (catch 22).

You can hide the account from non-savvy users and you can randomize the account password so that no one knows it. You can even rotate passwords on a routine schedule if you choose.

jarednichols
Honored Contributor

If you're concerned about the security of the local account, you can use Casper to spin the password to a randomly created one that's stored encrypted in the JSS's database. Spin the password every day if you want.