To enable auditing the user has to have the explicit role provided. To do this please conduct the following:

Navigate to

Tools | Administration | User Management

From the User management interface select Users and groups and identify the user you want to apply the auditing role to.

Right-click on the desired user and select properties

In viewing the Properties of the selected user, choose the Rolesoption and select both auditing roles and chooseOK

Verify the Auditor and Auditing Configuration roles are listed from the User management overview

You will need to log out of the Landesk Management console and log back in in order to see the newly included role. To view the Auditing Configuration section please navigate to the following location:

Configure | Services

Note* Only the logged on user with this role will be able to view the Auditing Configuration tab.

After selecting the Auditing Configuration tab. The following display will be shown:

Please select the desired events you wish to capture. If you would like these events to be written to the Event Log (Event Viewer) location please select the Write auditing events to the Event Log.  As a best practice, please do not audit every event unless you have the resources to handle the I/O.

Description: The following error is displayed when launching a remote console and attempting to connect to a core server.

Console Initialization Error: Value cannot be null. Parameter name: userId

Resolution: Check the following registry key on the core server. The value for isNTLM needs to be set to "False". This setting is not currently used and will cause problems if it's enabled.

HKLM\Software\LANDESK\ManagementSuite\Core\Connections\Local

Problem:

Some users are experiencing issues with the remote console not launching the window correctly after logging in. Sometimes it wont be visible, only part of the window will show, and the minimize/maximize buttons don't seem to be responsive.

Cause:

The windows console uses a 3rd party UI library called VIBlend. VIBlend has a known issue causing this behavior. Ivanti is currently working on removing VIBlend from the console.

Solution / Workaround:

This issue has been filed as a defect (ID 296147). For a temporary workaround, hover your mouse over the LANDesk icon on the task bar and once the preview window/thumbnail preview shows above the icon, right-click the preview window and select Restore. That is usually enough to get the remote console to pull up and center on the screen.

Other users have seen success by opening the task manager and using the the window options when right clicking the process like so:

The long term resolution will be the removal of VIBlend from the windows console. However, this is a major architecture change for the console and doesn't currently have an ETA.

Also See:After logging in to the Console the Console shows in the task bar but the Console window never appears.

Description: This article will explain how to create a scheduled task to change the passwords on your local machines. Example: If you wanted to change the local admin password on all of your LANDesk Managed PC's.

Resolution:

1. Right click on any machine and then click on Manage Local Users and groups

2. When Local Users and Groups tool comes up click on Schedule Icon in the tool bar.

3. Either type in the username, or click on the drop down and choose the name of the user you want to change the password for.

4. Type in the new password and then type it in again to confirm.

5. Click on Schedule.

6. A new scheduled task will appear in the scheduled task tool called 'Set user 'Administrator' password for multiple machines.

7. Drag machines into task and start.

Problem

Unable to copy an agent configuration and paste it to "My configurations".

Cause

The agent configuration name has special characters that SQL isn't liking.

Solution

Please make sure that you are attempting to paste the agent configuration to "My configurations", otherwise, this won't work.

If you have any of the following characters in the agent configuration name, it can cause problems.

( )

*

'

"

< >

[ ]

|

Remove the special character and try again.

Description

After SP2 has been installed on the LDMS 9.0 core server, the following error appears when you try to log into the console on the core server

You have insufficient rights to launch the console. Validate that you have been assigned a role or that you belong to a group that has been assigned a role.

Cause

The reason why the above error occurs is that the tables that should  contain LANDesk rights are empty. Therefore there is no association  between users and their LANDesk rights. This problem is caused partly  due to SQL server using dynamic port rather than its default port 1433  and partly by the application CreateLANDeskRights.exe not being able to  connect to the SQL server on dynamic port. During SP2 installation  CreateLANDeskRights.exe will run and populate the following tables with  LANDesk rights

- Permission

- PermissionDefinition

- PermissionDefinitionRight

- PermissionGroup

- PermissionRight

Resolution

To resolve this issue please follow below steps

1. Open LANDesk Configure Services from Start > All Programs > LANDesk > LANDesk Configure Services

2. On the General tab enter the SQL server or instance port ( SQL_Server, port_number ), i.e. LDMS9ENU, 2594

3. Click Apply and OK

Following the steps above you now should be able to log in as a user that is member of the following local security groups on the core server

- LANDesk Administrator

- LANDesk Management Suite

All the previous user settings such as rights, scopes and groups will have to be recreated.

Another cause for this error message could be the MBSDK web service is enabled with Anonymous access. It should be Windows Authentication only.

Issue

After you update the password of your EPM database and when you try to apply the changes in the console through Ivanti Configure Services, the following error pops up when you click on Apply or OK.

"Failed to validate the version of the database. Login failed for user 'sa'"

You have ensured the password is correct and the steps in the troubleshooting document have been performed.

Cause

A single character has been used as the password, which is allowed by SQL Server if you choose not to enforce password policy for the account, but is not allowed by EPM.

Resolution

Use a password with more than one character instead.

From within the LANDesk Console one of the more useful features is the ability to right click a machine and perform administrative tasks.

Some of these tasks are:

Request an inventory scan

Wake up a machine

Shut down a machine

Request a Security scan

When one of these options is selected the LANDesk console make a call to IIS and passes the command line parameters to the core.secure/corerequest.asmx page.

The URL for this page on the core server is:

http://localhost/landesk/managementsuite/core/core.secure/corerequest.asmx

This page is seen here being accessed from the core server.

Each command requires a client side identifier, this can be the Machine GUID (found in the registry under HKLM\Software\Landesk\Common API) or the machines IP address.

If the right click commands fail to run, check the following.

1.  Can theCoreRequest page be browsed from the Console running the commands?

http://[core server name]/landesk/managementsuite/core/core.secure/corerequest.asmx

2.  Verify that the command is being sent from the core server.

On the core server under the \\[Your Core Server]\LDMAIN share the raxfer.log file will store the attempt to run the remote execute.

<block>Thu, 19 Mar 2009 10:20:56 4724 388 Performing remote execute, target 10.16.228.214:9594, hash 5b5c5c77</block>

3. Verify that the command was recieved on the client.  In C:\Program Files\LANDesk\Shared Files\servicehost.log the command line parameters will be displayed.

<block>

Thu, 19 Mar 2009 10:36:14 2608: Exec: Exec: Launch request <"C:\Program Files\LANDesk\LDClient\vulscan.exe" /id=7 /run ldiscn32.exe /NTT=slc-smith-88:5007 /S="slc-smith-88" /I=HTTP://slc-smith-88/LDLogon/ldappl3.ldz /NOUI> (sync 0, timeout 300)

</block

The purpose of this article is to connect to a off core SQL Server without using LANDesk technology to ensure database connectivity. A connection will be created from the LDMS core server to the SQL server using Microsoft’s SQLCMD.exe tool. SQL activity monitor will be used to monitor the connection watching for the connection to drop. If the connection drops it can be concluded that there is an issue with network connectivity between SQL and the Core that will need to be resolved before further troubleshooting can be done.

Tools Needed

Microsoft SQL Server Command Line Query Utility SQL 2008

Microsoft SQL Server 2008 Command Line Utilities

The SQLCMD utility allows users to connect to, send Transact-SQL batches from, and output rowset information from SQL Server 7.0, SQL Server 2000, SQL Server 2005, and SQL Server 2008 instances. The bcp utility bulk copies data between an instance of Microsoft SQL Server 2008 and a data file in a user-specified format. The bcp utility can be used to import large numbers of new rows into SQL Server tables or to export data out of tables into data files.

Note:

This component requires both Windows Installer 4.5 and Microsoft SQL Server Native Client

Microsoft SQL Server 2008 Feature Pack, October 2008 link

Microsoft SQL Server 2008 Command Line Utilities

X86 Package(SqlCmdLnUtils.msi) - 7234 KB
X64 Package (SqlCmdLnUtils.msi) - 12212 KB
IA64 Package(SqlCmdLnUtils.msi) - 16515 KB

Microsoft SQL Server 2008 Native Client

X86 Package (sqlncli.msi) - 4549 KB
X64 Package (sqlncli.msi) - 7963 KB
IA64 Package (sqlncli.msi) - 11112 KB

Steps for testing

Core Side

1. Install SqlCmdln Utility on the core server.
2. Open a command prompt.
3. Change the directory to \Program Files\Microsoft SQL Server\100\Tools\Binn
4. Enter the following command string: sqlcmd.exe -S SQLServerName -d DatabaseName -U Username -P Password (example: sqlcmd.exe -S SQL005 -d LDDB -U sa -P Password1 )

If the connection is successful you will see a >1 on your screen.

For a full list of switches for SqlCmd refer to this MSDN article.

SQL Server Side

1. Open SQL Management Studio and connect to the SQL server in the Object Explorer window.
2. Expand the Management tree then open the activity monitor. Locate the connection opened by the SQLCMD application.

At this point you will want to view the activity monitor on the SQL server  to see if the connection has stayed up. Viewing the activity monitor at the end of the day or the next day will determine if there have been any disconects. SQL command line utility will not reconnect if there is a drop either by SQL or network. The application name(SQLCMD) is listed in application column of Activity Monitor so it is easy to identify the sqlcmd connection.

Overview

This document goes over basics of user management in Ivanti Endpoint Manager. This is not an exhaustive guide on all facets of user management.

General

Before getting into specifics, there are some general details about EPM's user management process.

Groups

When you install the Core, we create 2 local groups on the Core server:

• Landesk Management Suite
  • This group provides no special rights. Users who are not intended to be Landesk Administrators should be placed here.
  • The LandeskComPlus user is placed in this group during install.
• Landesk Administrators
  • This group provides users in it with Landesk Administrator rights.
  • The user that installs EPM is placed in this group.

In order for a user to use any functions of EPM, they need to be a member of one of those 2 groups. This is not just for the Windows console, but also to access the web console, or the Analyst space of workspaces, etc. Anything that integrates with EPM.

While you can add individual users to these groups, you can also add other groups, and EPM will resolve the members of those groups.

Any users that are part of Landesk Management Suite will also need to have a Role configured before they can login.

Allow vs Deny

While other user management solutions, like Active Directory, will Deny before Allow (ie. if a user gains Allow from one group and Deny from other, they will get Deny), EPM is the opposite. EPM will provide the greatest available rights based on a user's combination of rights. It's often helpful to think of rights in EPM in the manner of a Venn Diagram, where each role is part of the diagram, and a user's "Effective Rights" are the entirety of the diagram.

As an example, let's examine the following situation:

• Group A is part of Landesk Administrators, and gains the Landesk Administrator role
• Group B is part of Landesk Management Suite, and is given no default rights.
• User "Tim" is part of both Group A and Group B.

In the situation above, Tim will be a full Landesk Administrator, as he will be given all rights from Group A AND Group B, despite Group B being denied any rights.

This also applies to Scopes.

Users vs Groups

EPM generally treats users and groups the same, in terms of actually configuring rights. All references to users in this document can also be considered to apply to groups, unless noted otherwise.

Active Directory/LDAP

You can use your AD users and groups in User Management. Doing so first requires adding an Active Directory source to User Management (Administration > User Management). Click the "Add" button (green circle with a white plus) and select "New Active Directory Source". Provide your domain and a user with Read access to the domain's objects.

You can also add AD sources by going to Configure > Manage Active Directory sources. Any sources added there will be available to User Management.

Adding Users

A user needs to be added to EPM before they can log in to the Console or access other functions. This can be done a few ways:

• Explicitly
  • To add a user explicitly, head to Administration > User Management. Click the green circle with the white plus, and then select "New user or group". The resulting window will have tabs, one for each user source. Select the appropriate source, then navigate to the user you want.
• Group Membership
  • If a user is a member of a group that's been explicitly added, then they will be as well through inheritance. While they won't show up in User Management until they log in, they will be allowed to.
  • If a user is a member of a group that has not been explicitly added, they will not be able to login.

Once a user is added, you need to give it a role and a scope:

1. Right click the newly added user and select Properties.
2. On the left hand pane, select Roles and check any roles appropriate. Then do the same for Scopes.

A user should login to the console at least once before attempting to use other EPM functions outside of the console, such as Workspaces or HTML Remote Control. This is because we won't create an entry for the user until they do login, even if their group membership allows them to access EPM. Without that user entry being created, they essentially don't exist as far as those functions are concerned, and are therefore unauthorized.

Scopes

In EPM, you can create and assign Scopes. Scopes encompass a set of computers based on user defined criteria. A user can only see machine in their Scope, no matter what rights they have.

Creating Scopes

There are a few ways to create a scope:

• From a Device Group
• From a Query
  • If using queries to create scopes, you should try to keep this to a minimum, or to not use very taxing queries, to avoid causing excessive strain on the database.
  • More about writing queries can be found here
• From an LDAP Container

Roles

Roles are a collection of rights that allows a user to do certain things, but only to machines within their Scope.

Auditing Roles

One thing to note is that Auditing rights are special. Even a Landesk Administrator can't see or configure auditing by default. Anyone who needs to configure auditing needs to be assigned the Auditing Configuration right, and anyone who needs to see auditing events needs the Auditor role. This is regardless of other permissions.

Rights Documentation

This document has more information on specific rights: Explanation of Role Based Administration (RBA) rights

Additional Information

Sometimes after making changes to user rights, they don't take immediate affect. In this case, you can run the files below in the order specified. These needs to be explicitly run "As Administrator", and manually force the user rights to resolve. These are located in the %LDMS_HOME% directory

• CreateLandeskRights.exe
• ResolveDBCustomGroups.exe
• ResolveUserGroups.exe

Description:

What happens when I right-click a machine in the inventory and select Wake on Wan?

First make sure that you have the red circle in front of the machine to have the option Wake up availble to you.

Core server sends a ##LD_WAKE_ON_WAN## Message to a MDR which in turn send the Magic Packet on port 0 to the machine you want to wake up.

The protocol used is WOL.

In the below wireshark trace

192.168.1.217 ->Core

192.168.1.201 -> MDR

You do not need to have a static MDR.

Purpose:

Network Mapping is designed to help you understand your companies network. This may or may not be an accurate representation of your environment but will help you determine what is on the network and the bandwidth.

**Note**

THIS IS A NEW FEATURE AND ASK THAT ALL FEEDBACK IS SENT TO SUPPORT TO HELP BUILD A BETTER MAPPING TOOL.

This is using our multicast system and some Access points have Access Point Isolation (AP Isolation)

Prerequisites:

• This is only available on 2018.1
• CSEP is enabled on he subnet (will be covered in the process portion)
• At least one 2018.1 agent on the subnet

Process:

Agent Settings

By default the agent settings for network mapping are turned on. There is not much here other than:

• changing the Route Target- This will send the route info from the client to the target to the core. This could be the core or any other device on the network.
• Frequency- This is how often the route occurs

CSEP

Under the Self-electing subnet services choose the network mapping and in the subnet trees to the right, right click on a subnet and enable.

Network Map

The map will show different layouts based on the traceroute

You will see different colors for the line and this shows the response time of the ping. Green is good response time, yellow is some latency and red is big latency.

Lastly you will be able to drill down and have ability to RC, review provisioning and looking at inventory. You will also see the type of OS for that machine and it's ip.

This network map uses multicast to determine the Rep for the subnet but that rep will perform the traceroute. This route is for the subnet and devices the core knows about within that subnet will be added to the map. This will not tell you devices that are not managed but are in that subnet. This is designed to show you what your network looks like for the devices managed by you the Ivanti admin; this will include agentless scanned devices. The drill down is real time but the latency check is done during the route check which is 7 days by default as you saw but can be changed. This means the map will change as often as your end-users moving around from wired to wireless and vice versa.

Overview

One of the features included in Endpoint Manager (EPM) 2018-1 is the ability to launch the Environment Manager (EM) Console. EM is a console that provides the ability for on-demand personalization of user desktops. The EPM console also has the ability to distribute EM agents and license files as will be outlined below. Licensing with EM is on the client instead of the core like EPM so each client requires a license file.

Note: A lot of the content discussed here regarding this integration can also be found in the help files at the location below. This community article will supplement the help files and also provide information on downloading a license file through Ivanti's portal.

EM Console Add on Help Documentation

Process Outline

To use the EM Console Addon there are 3 general steps. However, you can skip some of the steps if you already have EM deployed in your environment.

1. Deploy EM Agent to Managed Devices
2. Deploy EM License File to Managed Devices
3. Connect the Endpoint Manager Core to the EM Console

Deploy EM Agent to Managed Devices

Note: You can skip this step if you already have EM deployed in your environment

In order to deploy the EM Agent to managed devices you'll need to check the corresponding box in the EPM Agent Configuration. See the screen shot below. When adding components to the Ivanti Agent a full agent deployment will be necessary. This is due to the additional files needed to support the added feature.

Deploy EM License file to Managed Devices

Note: You can skip this step if you already have EM deployed in your environment

Downloading a license file

1. Browse to: https://portal.ivanti.com
2. Log into the portal using your EPM licensing activation credentials.
3. Open the UEM/USER-FOCUSED section. You should see several sub-menu items.
   1. If you have a DesktopNow license (this is a suite) then you should find your EM license file in the DesktopNow section.
   2. If you have a EM only license then you should find the EM license file in the Environment Manager section.
4. Click on the download link on the right side (see screen shot)
5. Once the file is downloaded place the file in the following location
   1. C:\Program Files\LANDesk\ManagementSuite\LANDesk\Files

Deploying the license file via a Software Distribution Package

A software distribution package is included in EPM 2018-1 to deploy the license file. See below for instructions on configuring it.

1. In the EPM Console open Distribution Packages
2. Under All Packages find the "Environment Manager License Deployment" package, right-click, and select properties.
3. The main power shell script is already configured but the license file itself will need to be added as an additional file. See screen shot below. Find the file from the previous steps and move it from the left box to the right box. Save the configuration.
4. Schedule and deploy the package as you would any other software distribution package.

Connect the EPM Core to the EM Console

To finish the configuration of the EM Add on EM and EPM will need to be connected.

The Environment Manager console uses core server credentials and a unique "secret" key to connect to a core server.

To obtain the core server secret key

1. On your core server, open this file with a text editor:C:\ProgramData\LANDesk\ServiceDesk\My.IdentityServer\IdentityServer3.Core.Models.Client.json
2. In that file is a section like this example: {"Value":"JcfZCcxemugWVIYr5upu","Description":"EMClient Secret","Type":"SharedSecret","Expiration":null}. The 20-character random alphanumeric value before "EMClient Secret" is the string you need. It's bolded in the previous example and is normally near the end of the file.

To connect Environment Manager to a core server

1. Click Tools > Configuration > Environment Manager Policy. The Environment Manager console opens in a separate window.
2. Click File > Open > Configuration from Endpoint Manager.
3. Click the Add toolbar button .
4. In the Add Endpoint Manager Server dialog box, enter your core Server name, a Friendly name, and the Secret string you found earlier.
5. Set the Location to \\<CoreServerName>\ldlogon\em. If the "em" folder doesn't exist, click the browse button next to the Location box and click New folder so you can create it. If you want to use a different folder under \ldlogon, modify the path you provide to match.
6. Click Add. Your core configuration will appear in the Configurations list.

Using Environment Manager

Once you've created a configuration for your core server in Environment Manager, you can create new policies or edit existing policies. Environment Manager policiies are saved to the core as public software distribution packages with the name and description you specify. Use Endpoint Manager software distribution to deploy the policies you create. For more information on using Environment Manager please reference the help documentation.

To create a new Environment Manager policy and save it to your core server

1. Click Tools > Configuration > Environment Manager Policy. The Environment Manager console opens in a separate window.
2. Configure your new policy in Environment Manager.
3. Click File > Save As > Configuration in Endpoint Manager.
4. Select an Endpoint Manager core server configuration from the list and click Connect. Provide core server credentials if necessary.
5. Enter a Configuration name and Description. These items become the software distribution package name and description in Endpoint Manager.
6. Click Save. The policy will be saved to the core server you selected.

To modify an existing Environment Manager policy on your core server

1. Click Tools > Configuration > Environment Manager Policy. The Environment Manager console opens in a separate window.
2. In the Environment Manager window, click File > Open > Configuration from Endpoint Manager.
3. Select an Endpoint Manager core server configuration from the list and click Connect. Provide core server credentials if necessary.
4. Environment Manager will show the list of policies on your core server. Select the policy you want and click Open.
5. Make your policy modifications.
6. Click File > Save As > Configuration in Endpoint Manager.
7. Select a Endpoint Manager core server configuration from the list and click Connect. Provide core server credentials if necessary.
8. Enter a Configuration name and Description. These items become the software distribution package name and description in Endpoint Manager.
9. Click Save. The policy will be saved to the core server you selected.

Additional Notes and Information

• You can also launch the EM Console from the start menu
• Actual application being launched
  • C:\Program Files\AppSense\Environment Manager\Console\EMConsole.exe

Introduction

The problem with login to the console creates a error message in console.exe.log. Many times such log file includes the HTML report, where the particular IIS problem is mentioned.

You can go ahead and open such HTML code in any browser, to easly check the output and details for problem with modules as on the below example.

Resolution

Please have a look on the error message and apply possible solution. If you're running on IIS the other than Ivanti pools, the problem can be easly detected on Microsoft community as well.

In the above example, the problem is related with .NET Framework environment.

Could not load type 'System.ServiceModel.Activation.HttpModule' from assembly 'System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.

In accordance to the Microsoft community solution, the below command line code should be executed:

aspnet_regiis.exe /iru

Recommendations

It is recommended to use only Ivanti pools on one IIS server if possible. Otherwise other components can update and affect on Ivanti availability, by changing default settings. You can easly check if other components can affect on IIS service by reviewing IIS Application Pool.

The above is example of additional Application Service, installed by WSUS feature to Windows Server. It can cause the problem with Ivanti Console availability, if the WSUS compression is enabled. At the result error 0x8007007e referring to WSUS configuration was included in console.exe.log. Problem can be solved by uninstalling WSUS or disabling compression using the below command:

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-[name='xpress']

Resolution:

Problem: When trying to do backup on 64bit Core Server getting error:

Error saving file path c:\windows\system32\cba\pds.exe that is associated with Shadow Copy path \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\windows\system32\cba\pds.exe. The system cannot find the path specified.

Cause: The pds.exe is stored in C:\Windows\SysWOW64\cba\pds.exe instead of c:\windows\system32\cba\pds.exe on 64bit machines.

It is pretty much the same as having Program Files (for 64 bit programs) and Program Files (x86) (for 32 bit programs). It is designed to be invisible to the service, which is why it thinks it's in a different place than it really is.

This is working how Windows intends for a 32 bit service to work.

Resolution: You can make a link to the "c:\Windows\SysWOW64\cba"

C:\Windows\System32>mklink /d cba c:\Windows\SysWOW64\cba

C:\Windows\System32>dir *cba*
Volume in drive C has no label.
Volume Serial Number is 4CD7-E8DF

Directory of C:\Windows\System32

17/12/2009  09:41    <SYMLINKD>     cba [c:\Windows\SysWOW64\cba]
19/01/2008  09:02           350.208 mmcbase.dll
               1 File(s)        350.208 bytes
               1 Dir(s)  10.079.297.536 bytes free

Description

After SP2 has been installed on the LDMS 9.0 core server, the following error appears when you try to log into the console on the core server

You have insufficient rights to launch the console. Validate that you have been assigned a role or that you belong to a group that has been assigned a role.

Cause

The reason why the above error occurs is that the tables that should  contain LANDesk rights are empty. Therefore there is no association  between users and their LANDesk rights. This problem is caused partly  due to SQL server using dynamic port rather than its default port 1433  and partly by the application CreateLANDeskRights.exe not being able to  connect to the SQL server on dynamic port. During SP2 installation  CreateLANDeskRights.exe will run and populate the following tables with  LANDesk rights

- Permission

- PermissionDefinition

- PermissionDefinitionRight

- PermissionGroup

- PermissionRight

Resolution

To resolve this issue please follow below steps

1. Open LANDesk Configure Services from Start > All Programs > LANDesk > LANDesk Configure Services

2. On the General tab enter the SQL server or instance port ( SQL_Server, port_number ), i.e. LDMS9ENU, 2594

3. Click Apply and OK

Following the steps above you now should be able to log in as a user that is member of the following local security groups on the core server

- LANDesk Administrator

- LANDesk Management Suite

All the previous user settings such as rights, scopes and groups will have to be recreated.

Another cause for this error message could be the MBSDK web service is enabled with Anonymous access. It should be Windows Authentication only.

Problem

When trying to log into the Core server, there will be a error message that says:"Console Initialization Error: Unable to connect to the remote server"

You will see the following error message in the console.exe log and screen shot as shown as below.

+++Console.exe.log++++

05/14/2013 16:53:59 INFO  1524:Main Thread RollingLog : Starting authentication

05/14/2013 16:53:59 INFO  1524:Main Thread RollingLog : Resolving rights for ADMINISTRATOR

05/14/2013 16:54:01 INFO  1524:Main Thread RollingLog : WebException Exception: Unable to connect to the remote server

Environment

LDMS9.0 or later version

Cause

1. Site Bindings does not specify the SSL certificate

If it is a certificate issue such as the certificate missing or incorrect. More information can be found in the article below:

How to troubleshoot a missing or deleted core certificate

Solution

1. Make sure that World Wide Web Publishing Service (WAS) is running.

2. Open IIS Manager->Site-> You will see something similar to the following screen shot.

3.. Click Bindings

4. Click Add-> Choose https-> Choose the correct LANDESK certificate or LANDESK Secure Token Server -> Click OK

5. Go to Mange Website on the right-side pane Restart Website service.

6. Try to log onto the core server again.

Explanation of Role Based Administration (RBA) rights

Management Suite Administrator
The Management Suite Administrator permission provides full access to all of the application tools (however, use of these tools is still limited to the devices included in the administrator's scope).

The Management Suite Administrator permission provides users the ability to:

Manage users with the Users tool.
See and configure product licensing in the Configure menu.
Configure LANDesk services.
Important: Perform ALL of the Management Suite tasks allowed by the other permissions.

Agent configuration

No rights: Can’t see the tool.
View: Can see this tool and can view anything. Can’t change anything.
Edit: Can see and change anything. Can’t deploy an agent configuration job.
Deploy: Can see everything. Can’t change anything. Can schedule any agent configuration task that they can see (including public).
Edit public: Can assign configurations to public. Can edit public configurations.

Alerting

No rights: Can’t see the tool.
View: Can see this tool and can view anything. Can’t change anything.
Edit: Can see and change anything. Can’t deploy.
Deploy: Can see everything. Can’t change anything. Can deploy.

Basic Web console

No rights: Can’t log into Web console.
View: Not applicable.
Edit: Can log into Web console and see the most basic things.
Deploy: Not applicable.

Core synchronization

No rights: No core synchronzation tool. No right-click options to Autosync or Copy to core. Still show import and export options. (These are tied into the "Edit" right for the tool that has these options.)
View: Can see the tool, but can't make any changes. Still no synchronization options in context menus as above.
Edit: Can do everything. Add/remove target cores, turn components on and off, enable auto sync on instances, and manual sync.
Deploy: Not applicable.

Custom data forms

No rights: Can’t see the tool.
View: Can see this tool and can view anything. Can’t change anything.
Edit: Can see and change anything. Can’t deploy.
Deploy: Can see everything. Can’t change anything. Can deploy.

Device management

Add / Delete devices

No rights: Can’t see the Insert new computer option in the context menu when viewing All devices in the Network view. Can’t see the Delete option in the context menu when selecting a device in the Network view. Can’t see the Network view > Configuration > User added computers tree node.
View: Not applicable.
Edit: Can see and use the Insert new computer option in the context menu when viewing All devices in the Network view. Can see and use the Delete option in the context menu when selecting a device in the Network view. Can see the Network view > Configuration > User added computers tree node.
Deploy: Not applicable.

Manage public device groups
No rights: Can’t change anything in Public devices.
View: Not applicable.
Edit: Not applicable.
Deploy: Not applicable.
Edit Public: Can create, delete and change device groups in Public devices. Can move a device group into Public devices.

Unmanaged device discovery

No rights: Can’t see the UDD tool.
View: Can open the UDD tool and view any item. Can’t create/delete/edit anything.
Edit: Can open the UDD tool and view any item. Can create/delete/edit anything.
Deploy: Can open the UDD tool and view any item. Can’t create/delete/edit anything. Can schedule a UDD task.

Device monitoring

No rights: Can’t see Device monitoring from the Configure menu.
View: Can see the Alerting tool and Logs tool. Can see information in the Device monitoring tool. Can't edit it.
Edit: Can see the Alerting tool and Logs tool. Can see and edit information in the Device monitoring tool.
Deploy: Not applicable.

Wake/Reboot/Shutdown

Edit: Can see and use Wake up, Reboot and Shutdown options in the context menu when selecting a device. Manage local users and groups
Edit: Can see and use Manage local users and groups in the context menu when selecting a device.

Manage local users and groups

Edit: Can see and use Manage local users and groups in the context menu when selecting a device.

Handheld

No rights: Can’t see the handheld tools.
View: Can see the handheld tools. Can’t change anything.
Edit: Can create, edit and delete items. Can't schedule a job.
Deploy: Can't create, edit and delete items. Can schedule a job. Can use the Handheld task button in the Scheduled tasks tool.

Launchpad

No rights: Can’t see the Launchpad tool.
View: Can see the tool. Can’t change anything.
Edit: Can create, edit, and delete items. Can't schedule a task/policy.
Deploy: Can't create, edit, and delete items. Can schedule a task/policy.

OS Deployment / Provisioning

No rights: Can’t see the OS Deployment tool.
View: Can see the tool. Can’t change anything.
Edit: Can create, edit and delete items. Can't schedule tasks.
Deploy: Can schedule tasks for items that they can see (including public). Can't create, edit and delete items.
Edit Public: Can move items to the Public folder. Can create, edit or delete items in the Public folder.

Power management

No rights: Can’t see the Power Management tool.
View: Can see the tool. Can’t change anything.
Edit: Can create, edit and delete items. Can't schedule tasks.
Deploy: Can schedule tasks for items that they can see (including public). Can't create, edit or delete items.
Edit Public: Can move items to the Public folder. Can create, edit or delete items in the Public folder.

Public query management

No rights: Regular behavior.
View: Not applicable.
Edit: Not applicable.
Deploy: Not applicable.
Edit Public: Can move queries to the Public folder. Can create, edit or delete queries in the Public folder.

Refresh scopes

No rights: The Network view's Refresh scopes toolbar button doesn't do anything.
Edit: The Network view's Refresh scopes toolbar button updates all scopes. Use this when you've added devices to a scope or changed a user's scope and you want that user to see the new scope. Otherwise the scope refresh can wait up to an hour before it occurs automatically.

Remote control tools

Remote control

No rights: Can’t see the Remote control > Remote control option in the context menu.
View: Can see the Remote control > Remote control option and can remote control a device. Can’t take control of the device (view only).
Edit: Can see the Remote control > Remote control option and can remote control and take control of a device.
Deploy: Not applicable.

Execute programs

Edit: Can see the Remote control > Execute program option and can use it. The Execute program option is enabled in the Remote control window.

Transfer files

Edit: Can see the Remote control > Transfer files option and can use it. The Transfer files option is enabled in the Remote control window.

Chat

Edit: Can see the Remote control > Chat option and can use it. The Chat option is enabled in the Remote control window.

Reboot

Edit: Can see the Remote control > Reboot option and can use it. The Reboot option is enabled in the Remote control window.

Security

Patch and compliance

No rights: Can’t see the tool. Can’t see any scheduled tasks or policies in software distribution that are created from the tool.
View: Can see the tool. Can see everything inside. Can't download content, create/edit/delete configurations, or change anything. It is read-only.
Edit: Can see the tool. Can see everything inside. Can edit anything. Can’t schedule anything, including: content downloads, scan jobs, repair jobs, gather history, etc.
Deploy: Can see the tool. Can see everything inside. Can't modify anything, but can create a task or policy using the information there for items that they can see (including public).
Edit Public: Can move items to the Public folder. Can create, edit or delete items in the Public folder. Edit public repair tasks require all view, edit, deploy and public edit rights for patch and compliance.

Security configurations

No rights: Can’t see the tool. Can’t see any scheduled tasks or policies in the Scheduledtasks window that are created from this tool.
View: Can see this tool and the Security Activities tool. Can look at but not change any configurations or create any tasks.
Edit: Can see the tool and the Security Activities tool. Can see everything inside. Can edit anything. Can’t schedule anything.
Deploy: Can see the tool and the Security Activities tool. Can see everything inside. Can't modify anything, but can create a task or policy to deploy this to a client or change its configuration for items that they can see (including public).
Edit Public: Can move items to the Public folder. Can create, edit or delete items in the Public folder.

Network access control

No rights: Can’t see the tool.
View: Can see this tool and can view anything (such as the 802.1x configuration). Can’t change anything.
Edit: Can see and change anything, including publishing NAC settings.
Deploy: Not applicable.

Software distribution

Delivery methods

View: Can see the tool and everything in it.
Edit: Can create/edit/delete methods.
Deploy: Not applicable
Edit Public: Can move items to the Public folder. Can create, edit or delete items in the Public folder.

Distribution packages

View: Can see the tool and everything in it.
Edit: Can create/edit/delete packages.
Deploy: Can deploy a package in the distribution package tool. Can use the Create software distribution task button in the Scheduled tasks tool. Can use the Create custom script task button in the Scheduled tasks tool. This applies to all items that they can see (including public).
Edit Public: Can move items to the Public folder. Can create, edit or delete items in the Public folder.

Directory manager

View: Can see the tool and everything in it (assuming someone has authenticated already).
Edit: Can authenticate to a new directory and can see everything and can create/edit/delete queries.
Deploy: Not applicable.

Manage scripts

View: Can see this tool and can view anything. Can’t change anything.
Edit: Can see and change anything. Can’t schedule a task.
Deploy: Can schedule tasks for items that they can see (including Public). Can't create, edit and delete items.
Edit Public: Can move items to the Public folder. Can create, edit or delete items in the Public folder.

Scheduled tasks

If someone has "Deploy" rights for any of the tools listed below, they can see the scheduled task tool.

If someone has "Deploy" rights they have rights to modify any part of the type of task that they have "Deploy" rights for (for example, agent configuration, software distribution, Patch, etc.).

If someone has "Deploy" rights, they can change only the Target and the Schedule panes of a Public task.

If someone has "Deploy" rights and "Edit Public" rights, they can make any changes to Public tasks and can move tasks to and from the Public folder.

If someone has "Edit Public" rights but not "Deploy" rights, they can't edit any task of that type, including Public tasks.

Software license monitoring

No rights: Can’t see the Software license monitoring tool.
View: Can see everything. Can’t change anything.
Edit: Can see and edit anything.
Deploy: Not applicable.

User Administration

No rights: Can’t see the Users tool.
View: Can see everything. Can’t change anything.
Edit: Not applicable.
Deploy: Not applicable.

I would also lean on the following information article if you have additional questions:

LANDesk Help Center - Welcome to the user management tool

Role-based administration overview

Symptoms: The following error is displayed when

1. Launching a remote console and attempting to connect to a core server.

2. Installation during Configuring Datamart.

Console Initialization Error: Value cannot be null. Parameter name: userId

Resolution: Check the following registry key on the core server. The value for isNTLM needs to be set to "False". This setting is not currently used and will cause problems if it's set to True.

HKLM\Software\LANDESK\ManagementSuite\Core\Connections\Local