PDQ Deploy requires an administrator account in order to remotely perform deployments. PDQ Deploy can store multiple sets of credentials which can then be used for different deployments and schedules.
This graphic shows the different components of PDQ Deploy and which credentials are used when.
Console - Current User
The console runs with the credentials of the user currently logged into the console computer. This user account needs to have access to the files that make up the Packages (which may be on file shares). Most importantly, this user needs read/write access to the database, which is, by default, limited to the local administrators group.
Service - Service User
This user account is used for the Windows service which is the actual process that executes deployments. Like the console user it needs to be able to access the files that make up the packages and to read and write the database. This account can be the same as the console user, or it can be a different account. This account needs to have the Log on as a service privilege so it may need to be a special user created for the purpose as some organizations prevent normal users from having this privilege.
Connection - Deployment User
The deployment user is the one selected when starting a deployment. It is this account which is used to connect to the target computer and copy over the necessary files and start the target service. This user must have administrative rights on the target computer, which are needed to copy files to the ADMIN$ share and create and start the remote service. It can be a user account local to the target computer (see below) or a domain user if using Active Directory.
Target Service - Deployment User or Local System
The target service is the process that performs the actual installation on the target computer. There are two accounts that can be used by the service: The Deployment User or Local System. The deployment user is the same as used for the connection and is the default option. Some environments and deployments, however, require that deployments run as Local System which has some limitations (see below). When using the deployment user it must have the Log on as a service privilege.
Local System
Packages can be run using the built-in system account. When using local system the deployment still requires an administrator account to connect to the target computer, copy files, and start the package, the local system account is only used for the package process itself. The local system account can be used in scenarios where it's not possible or desirable to
es using an administrator account. This can simplify authentication in certain environments and may be required for some packages.
To set this option use the credentials preferences.
Running as Logged on User
Install and Command steps have the option to run as the logged on user on the target computer. There are a number of limitations and considerations to keep in mind when using this option, which are available on this page.
Default Credentials
One set of credentials will be set as default (the first credentials entered will be default). These credentials will be used when none are specified. For example, if the credentials used by a schedule are deleted then that schedule will fall back to using the default credentials.
Local Accounts
PDQ Deploy can use local (non-Active Directory) accounts for authentication. Credentials are considered to be local if they have no domain or if they have a domain that starts with a period (.). When these credentials are used, the target computer name will be added to the user name.
Testing Credentials
When using the Test Credentials button you will be prompted for the name of a computer to use to verify the name and password if the given domain doesn't match the domain of the logged on user. This is to handle situations where the domain isn't accessible from the computer where PDQ Deploy is running or the account is local (see above).