Proxy Permissions

The permission set required for a proxy service account differs depending on how you're using a Recast Proxy.

If you haven't set up the required proxy permissions prior to installing Recast Management Server or Recast Proxy, you can skip the installer's Configuration Manager Configuration page by removing any information from the text fields, selecting Test ConfigMgr Connection and the Skip ConfigMgr Verification checkbox, and clicking Next.

Right Click Tools

To access web dashboards and trends

This permission set also allows scheduling for Builder actions and kiosk profile application.

  • Local admin on the server where the proxy is being installed
  • Read permissions in Active Directory
  • db_datareader in the Configuration Manager SQL server database
  • Read-only access to the Configuration Manager console (Read-only Analyst security role in ConfigMgr)

NOTE: Some actions won't work, such as adding to or removing from collection

To run actions as a service account

  • Local admin on any device that actions will be run against
  • Read/Write permissions in Active Directory (Write is only required to delete devices from AD)
  • Appropriate ConfigMgr Security Role for intended actions in the Configuration Manager console (Full Administrator for all actions)
  • Permission to MBAM, if applicable

To elevate permissions

  • Local administrator access on all devices managed by Right Click Tools

NOTE: Some actions won't work, such as adding to or removing from collection

To add or remove from collections

  • Permission to modify a collection in Configuration Manager: configmgr collection > modify permission

For Fast Channel support

  • Permission to run scripts in Configuration Manager 
  • If using Read-only Analyst in ConfigMgr as your base security role, also grant the following privileges:
    • Collection > Run Script = Yes 
    • SMS Scripts > Read = True

Endpoint Insights

To collect warranty information 

  • Local admin on the server where the proxy is being installed
  • Read permissions in Active Directory
  • db_datareader in Configuration Manager SQL server database
  • Read-only access to the Configuration Manager console (Read-only Analyst security role in ConfigMgr)

NOTE: These first four permissions are the same as those required to access web dashboards and trends in Right Click Tools.

  • If your Recast Management Server is installed on a server other than your Configuration Manager SQL database, the proxy account will need to be added to the SMS_SiteSystemToSiteServerConnection_MP_<YourSiteCode> local group on that server. This will allow it to read/write to your inboxes\auth\ddm.box, which is required to gather warranty data.

Privilege Manager

Privilege Manager doesn't require a Configuration Manager service connection, and your service account needs only to have the following permissions:

  • Local admin on the server where the proxy is being installed
  • Read permissions in Active Directory

Application Manager

MECM Integration 

  • Grant any of the following built-in roles/role combinations to the proxy account:
    • Full Administrator
    • Operations Administrator
    • Application Administrator and Compliance Settings Manager
    • Application Administrator and Read-only Analyst
  • Modify permissions to the SMB share (UNC path) that will be used to store downloaded applications




Copyright © 2024 Recast Software Inc. All rights reserved.