Based on your post, I understand that you want to know how to configure the admin rights on the Microsoft domain controller for Dell Data Protection Encryption. There are four versions of Dell Data Protection Encryption which are:
1) Enterprise Edition
2) Personal Edition
3) External Media Edition, and
4) Bitlocker Manager
Please let us know which version of Dell Data Protection Encryption is being used. You can also refer to the link below.
In this link you have all the four version of Dell Data Protection Encryption specification. You can check the details on the right hand side navigation pane.
Thanks for your help. The version came pre-installed on the laptops and it is the Personal Edition.
Since my last post I have done some testing, and I am fairly certain it has to do with some group policy setting being applied, because I pushed back the factory image of the laptop (so that it was in the state it was prior to joining the domain and receiving all the policies), and when I attempted to start Dell Data Protection Encryption from the start menu, it started fine with no "you need administrator rights" error.
Unfortunately this is not a viable solution as we need the laptops to be joined to the domain, but at least it defines that some group policy setting is causing it.
Prior to the factory image, I also attempted to create a test OU and test GPO with all the "User Rights Assignment" settings (computer configuration) granted to domain administrators. This also did not seem to fix the "you need administrator rights" error.
I am sorry for the delayed response; I have escalated this particular issue to our ‘Engineering team’ once I get an update from our Engineering team will keep you posted.
We got an update from the Engineering team that what you’re saying is correct. It could be any implemented security policy causing the issue. DDPA requires kernel level access. To start, Dell is completely hands-off when it comes to domains and domain security. . However, there is a couple of suggestions:
Even though if you’re a local administrator you can right click and choose “Run as administrator”? If you are running windows 7, this should override most any GP setting. See if it asks for an administrator name and password. If it does, then you are not a true administrator or the policy has UAC override enforcement.
Open an administrator command prompt “Type in gpresult /h gpreport.html and press ” This will create a group policy report for that system. The report will be pushed to C:\Users\username\Documents\GPReport.html by default. If it is not there, just do a search for it. This will be a nice neat report showing all current policies on the system. You should be able to see what policy is blocking it.
Chances are the GPO key you should look in is: User Configuration/Windows Settings/Security Settings/Software Restriction Policies. This is where a template would have been installed.
Here is a great document to download that shows all group policies: Please refer to the below link.
Thanks Senthil, we currently do not have any policies configured for User Configuration/Windows Settings/Security Settings/Software Restriction Policies, and I doubled checked with the gpresult. Also no UAC override which also was double checked, although that is a clever way of telling whether you are a true administrator, thanks for that hint.
I guess I will have to unfortunately just go through and figure out the specific GPO that is causing it. I moved the comptuer object to an OU higher in the tree and it worked, so I know it is some policy, just have to go through and figure it out, I guess trial and error is a last resort, but it will have to do. Understanable that the Dell engineers are hands-off when it comes to domains, but I was hoping that they might be able to produce some documentation that would detail exactly what rights the program needs. The kernel level access is a good start.
Just a quick update. It turns out the problem was not related to rights assigned to my account, because the application is not running in the context of the logged on user. So the message "you need administrator rights" is misleading and incorrect. There are a couple services related to the encryption system that run as a pre-created local user named "crdsecagent" and the software runs under the context of this account. This is actually not really a group policy issue and is something the engineers could have pointed out.
My question now is, can I create an active directory service account that has local administrator rights and use this service account (instead of credsecagent local account) to run these 2 services? Because I do not want to have to grant the whole local administrators group the required security rights. Otherwise, will have to add the unique SID of each local account for each laptop to the policy.
I am sorry for the delayed response; I would like you to give me some more time since I am researching regarding this particular problem. Once I get an update I will keep you posted.
I believe you could create an AD entry for the installer to run, However, we would not be able to assist with active directory configuration. There are security concerns and Dell would assume liability. Another option would be to use switches, but because the problem is that crdsecagent needs to run at administrator level, you may have the same issue. The way to determine if there is a credential issue is to set up a new local user account with administrator rights off the domain and attempt to install DDPA. Since in the post you have mentioned, “I moved the computer object to an OU higher in the tree and it worked, so I know it is some policy,”
So it is a domain credential issue. Setting up a local administrator account will confirm.
Ideally, you could create a new domain account which only exposes the credentials needed, and then starts the respective services under that new account.
He would have to either change the account manually on each service’ properties, or via registry modification they can push across the OU.
DELL-Senthil S
4 Operator
•
2.5K Posts
0
September 20th, 2012 22:00
Hi kcsteele,
Based on your post, I understand that you want to know how to configure the admin rights on the Microsoft domain controller for Dell Data Protection Encryption. There are four versions of Dell Data Protection Encryption which are:
1) Enterprise Edition
2) Personal Edition
3) External Media Edition, and
4) Bitlocker Manager
Please let us know which version of Dell Data Protection Encryption is being used. You can also refer to the link below.
http://dell.to/HQduDo
In this link you have all the four version of Dell Data Protection Encryption specification. You can check the details on the right hand side navigation pane.
Please do reply for further assistance.
kcsteele
10 Posts
0
September 21st, 2012 04:00
Hi Senthil,
Thanks for your help. The version came pre-installed on the laptops and it is the Personal Edition.
Since my last post I have done some testing, and I am fairly certain it has to do with some group policy setting being applied, because I pushed back the factory image of the laptop (so that it was in the state it was prior to joining the domain and receiving all the policies), and when I attempted to start Dell Data Protection Encryption from the start menu, it started fine with no "you need administrator rights" error.
Unfortunately this is not a viable solution as we need the laptops to be joined to the domain, but at least it defines that some group policy setting is causing it.
Prior to the factory image, I also attempted to create a test OU and test GPO with all the "User Rights Assignment" settings (computer configuration) granted to domain administrators. This also did not seem to fix the "you need administrator rights" error.
kcsteele
10 Posts
0
September 24th, 2012 04:00
Hi Senthil,
Were you planning on assisting me with this problem?
Thanks...
DELL-Senthil S
4 Operator
•
2.5K Posts
0
September 24th, 2012 23:00
Hi kcsteele,
I am sorry for the delayed response; I have escalated this particular issue to our ‘Engineering team’ once I get an update from our Engineering team will keep you posted.
kcsteele
10 Posts
0
September 25th, 2012 04:00
Thanks Senthil, I look forward to your reply.
DELL-Senthil S
4 Operator
•
2.5K Posts
0
September 28th, 2012 03:00
Hi kcsteele,
We got an update from the Engineering team that what you’re saying is correct. It could be any implemented security policy causing the issue. DDPA requires kernel level access. To start, Dell is completely hands-off when it comes to domains and domain security. . However, there is a couple of suggestions:
Even though if you’re a local administrator you can right click and choose “Run as administrator”? If you are running windows 7, this should override most any GP setting. See if it asks for an administrator name and password. If it does, then you are not a true administrator or the policy has UAC override enforcement.
Open an administrator command prompt “Type in gpresult /h gpreport.html and press ” This will create a group policy report for that system. The report will be pushed to C:\Users\username\Documents\GPReport.html by default. If it is not there, just do a search for it. This will be a nice neat report showing all current policies on the system. You should be able to see what policy is blocking it.
Chances are the GPO key you should look in is: User Configuration/Windows Settings/Security Settings/Software Restriction Policies. This is where a template would have been installed.
Here is a great document to download that shows all group policies: Please refer to the below link.
http://www.microsoft.com/en-us/download/details.aspx?id=24449
I hope you find this useful.
kcsteele
10 Posts
0
September 28th, 2012 05:00
Thanks Senthil, we currently do not have any policies configured for User Configuration/Windows Settings/Security Settings/Software Restriction Policies, and I doubled checked with the gpresult. Also no UAC override which also was double checked, although that is a clever way of telling whether you are a true administrator, thanks for that hint.
I guess I will have to unfortunately just go through and figure out the specific GPO that is causing it. I moved the comptuer object to an OU higher in the tree and it worked, so I know it is some policy, just have to go through and figure it out, I guess trial and error is a last resort, but it will have to do. Understanable that the Dell engineers are hands-off when it comes to domains, but I was hoping that they might be able to produce some documentation that would detail exactly what rights the program needs. The kernel level access is a good start.
I will keep you updated when I find it.
Thanks
Sunnybmumab
1 Message
0
September 28th, 2012 23:00
Can anybody help me on how to save my files before formatting an hard drive! I will be so glad to hear from you.
osprey4
4 Operator
•
34.2K Posts
0
September 29th, 2012 05:00
Hi Sunnybmumab,
See if this helps: How to back up your files
If you need more help, you need to be a lot more specific about the problem you are having, and include the model of your Dell and operating system.
kcsteele
10 Posts
0
October 1st, 2012 04:00
Senthil,
Just a quick update. It turns out the problem was not related to rights assigned to my account, because the application is not running in the context of the logged on user. So the message "you need administrator rights" is misleading and incorrect. There are a couple services related to the encryption system that run as a pre-created local user named "crdsecagent" and the software runs under the context of this account. This is actually not really a group policy issue and is something the engineers could have pointed out.
My question now is, can I create an active directory service account that has local administrator rights and use this service account (instead of credsecagent local account) to run these 2 services? Because I do not want to have to grant the whole local administrators group the required security rights. Otherwise, will have to add the unique SID of each local account for each laptop to the policy.
Thanks again...
DELL-Senthil S
4 Operator
•
2.5K Posts
0
October 2nd, 2012 23:00
Hi kcsteele,
I am sorry for the delayed response; I would like you to give me some more time since I am researching regarding this particular problem. Once I get an update I will keep you posted.
DELL-Senthil S
4 Operator
•
2.5K Posts
0
October 15th, 2012 22:00
Hi kcsteele,
I believe you could create an AD entry for the installer to run, However, we would not be able to assist with active directory configuration. There are security concerns and Dell would assume liability. Another option would be to use switches, but because the problem is that crdsecagent needs to run at administrator level, you may have the same issue. The way to determine if there is a credential issue is to set up a new local user account with administrator rights off the domain and attempt to install DDPA. Since in the post you have mentioned, “I moved the computer object to an OU higher in the tree and it worked, so I know it is some policy,”
So it is a domain credential issue. Setting up a local administrator account will confirm.
Ideally, you could create a new domain account which only exposes the credentials needed, and then starts the respective services under that new account.
He would have to either change the account manually on each service’ properties, or via registry modification they can push across the OU.
I hope you find this useful.