Adding Management Suite console users

Management Suite users can log in to the console and perform specific tasks for specific devices on the network. The user that is logged in to the server during Management Suite installation is automatically placed into the Windows NT LANDesk Administrators group, which gives them full administrator permissions. This individual is responsible for adding additional groups of users to the console and assigning permissions and scopes. Once other administrators have been created, they can perform the same administrative tasks.

Management Suite setup creates several local Windows groups on the core server. These groups control file system permissions to the Management Suite program folders on the core server. You must manually add console users to one of these local Windows groups:

• LANDesk Management Suite: This group allows basic core access. The Management Suite folders are read-only. Users in this group can't write to the scripts directory, so they won't be able to manage scripts. Patching vulnerabilities and OS deployment won't work correctly for users in this group because both those features use scripts.
• LANDesk Script Writers: This group includes the rights of the LANDesk Management Suite group and it also allows users to write to the scripts folder. Patching vulnerabilities and OS deployment require membership in this group.
• LANDesk Administrators: This is the failsafe group for console access. Anyone in this group has full rights in the console, including script writing. By default, the user account that installed Management Suite is added to this group. If you don't have many console users or you don't want to limit the console users that you do have, you can bypass role-based administration entirely and just add users to this group.

When adding full administrators to the console, you can either add them to the core server's local LANDesk Administrators group or you can add them to a different group that has the LANDesk "Administrator" right. The only difference is that users in the Windows LANDesk Administrators group can't be deleted from the console until they are removed from the LANDesk Administrators group.

IMPORTANT: Don't put user accounts in multiple local or Active Directory groups that have group permissions. If an account is a member of more than one group with a group permission, the console won't be able to define which group permission to apply and the resulting rights may not be consistent. The best way to have rights for more than one group is to make a group with all the roles that the user will need, and then make the user part of that group.

IMPORTANT: Additional consoles and the core server must be members of the same domain or workgroup. Console users won't be able to authenticate with a core server that is in a different domain or workgroup.

To add users to a LANDesk group from the Windows Computer Management dialog

1. Navigate to the server's Administrative Tools > Computer Management > Local Users and Groups > Groups utility.
2. Right-click the LANDesk group you want, and then click Add to group.
3. In the group's Properties dialog, click Add.
4. In the Select the users and groups dialog, select the desired users (and groups) from the list and click Add.
5. Click OK.

Viewing the user log and deleting users

The Users tool's All users group is a log that gets populated as console users log in. You can see the last time they logged in, their group, role, and team. For example, you can monitor users that haven't logged in for a long time and consider whether they need the rights that they have. When you add a console user, they won't appear in this list until they log into the console.

You can also delete a user from this list. When you delete a user, you'll be prompted to decide how you want to handle console items they are the owners of, such as queries, scheduled tasks, and so on. You can either have the console automatically delete any items they own or you can have the console reassign items they own to another user that you select. Note that deleting a user only deletes that user from the Management Suite user database. You'll need to also manually remove the user from any Active Directory groups that give them console access. If you don't do this, the deleted user will still be able to log into the console.

To view the user log

1. Click Tools > Administration > Users.
2. In the Users, roles, and scopes tree, click All users.

To delete a console user

1. Click Tools > Administration > Users.
2. In the Users, roles, and scopes tree, click All users.
3. Select the user you want to delete and press the Delete key.
4. If you want to delete objects associated with the user, click OK.
5. If you want to reassign objects associated with the console user, select Assign Objects to the following user and click the user or team you want to receive the objects and click OK.
6. Remove the user from the local or Active Directory group that gives them console access.