0 Replies Latest reply on May 11, 2017 11:44 AM by jivnjt

    Patch Manager - multiple domain privs

    jivnjt

      Just getting this product rolling.  I have three domains/forests.  I am using one wsus server and one patch manager server to keep it simple.  GPO and certificates are golden.  Doing some simple checks on permissions shows that patch manager does not like domain local groups.  We nest DL groups from our primary domain via the trust for group/security sanity and to remove ugly SID orphans from showing up.  It looks like this:

       

      Domain A is "primary" only in name.  We are slowly, through attrition, turning down B and C.  Two way trust to B and C. 

       

      DomainA\swinds_security_group_global (contains users from domainA only.  Also contains the user we have in our default credential ring)

      DomainB\swinds_security_group_global (contains users from domainB only)

      DomainC\swinds_security_group_global (contains users from domainC only)

       

      DomainA\swinds_security_group_domainLocal (contains DomainA\swinds_security_group_global, DomainB\swinds_security_group_global, DomainC\swinds_security_group_global

       

      DomainA\swinds_security_group_domainLocal applied to server in DomainB == Patch Manager cannot remote connect via WMI.  Permission issue.

      DomainA\swinds_user_default_credential (so I put the user from DomainA into local administrator on server I am trying to connect to via WMI) == WORKS!

       

      This leads me to believe PM or WMI does not support a domain local group.  Google has too much information.  Anyone know off the top of their head?

       

      Thanks!