Active Directory

For an on-premises deployment, three separate Active Directory service accounts must be provided.

1. Read-Only Account

This account is used to query LDAP for information about users and groups.

Role:Read-Only.
Function: Retrieves user and group information via the LDAP (or LDAPS) protocol.
Required Permissions: Must have the necessary rights to search for and read user attributes in the Active Directory directory.
Location in the application: The credentials for this account will be configured in the Medulla configuration file (information requested in the delivery form).

2. Machine Enrollment Account (Imaging/Mastering)

This account is dedicated to provisioning and registering new machines in the domain during the imaging (or mastering) process.

Role: Rights to enroll machines in the domain.
Function: Enables the addition of computers to the Active Directory domain.
Required Permissions: Must have the "Add workstations to the domain" permission .
Integration into the process: This account will be integrated and used bySysprep to perform the domain join operation during machine mastering.

3. Script Execution Account (Medulla Agent Installation)

This account is required for post-deployment administration tasks, specifically forthe remote installation of the Medulla agent via PowerShell, targeting a defined Organizational Unit (OU).

Role: List computers in Active Directory and run PowerShell scripts remotely with delegated permissions.
Function: List computers in Active Directory. Install and configure the Medulla agent on workstations, targeting machines in a specific OU.
Required Permissions:
- Delegated Permissions on the Target OU: Must have permissions to modify Computer objects and permissions to execute remote commands (via WinRM or an equivalent solution) on machines in the specified OU.
- Access to the network share: If the Medulla agent script or installer is stored on a network share, the account must have read permissions on that share.
- List AD computers: Musthave permission to list AD computers in order to select the computers on which the agent should be installed.
Usage: This account will be used by the Python application to initiate and validate the execution of PowerShell scripts on the machines, ensuring that the agent is installed and that the machine is correctly assigned to the appropriate OU structure.

Network Prerequisites for Medulla SaaS

FLUX Test

Firewall

Active Directory

I already have a PXE server on my network—is that a problem?

Simplified Medulla Flowchart

OIDC

DNS Views and Medulla Relay in the DMZ

Filter machine types by GLPI ID

GLPI Access for Medulla

Disable convergence for the Extract drivers package

Configuration Guide: OIDC Authentication and User Synchronization

Activation Support / WSUS / CVE / Shop

Rename the FQDN and Switch to HTTPS on Medulla

Changing the SSH Port Between Server and Workstation

GLPI - Connecting an External GLPI

SUPPORT - Access

Installing Medulla on an OVH Virtual Private Server (VPS)

Client Workstations (Status & Visibility)

Packages

Remote Maintenance & Getting Started

Set the agent to Debug mode

Windows Agent Issue

Introduction

The ACLs

The ACLs (continued)

Console & Administration

Increase the Web session timeout (MMC / XMLRPC)

Retrieve the root password for the Medulla interface

Deployment (broadcasting)

Packages

Updates (Windows Updates)

Imaging menus

Client Workstations (Status & Visibility)

GPO

Reconfigure My Agent

Generate Windows and Linux agents

Linux MINT Distribution Agents

Uninstalling a Medulla Agent (Versions earlier than 5.5.2)

Uninstalling a Medulla Agent (Version 5.5.2 and later)

How do I force a reconfiguration of Medulla agents?

Duplicate MAC Addresses

Check the connection from the agent to the server

WithSecure alerts regarding PAExec used by Medulla

Architecture and Deployment of Medulla Relay Servers

Procedure for Adding Relays to Dedicated Medulla SaaS

Medulla Update - 5.4.x to 5.5.x

Services

Imaging Prerequisites

Imaging - Davos Debug

Imaging - Debug

Where are Medulla imaging masters stored?

About the Masters

An unknown machine does not appear in Medulla or GLPI after Register PXE

Copying Imaging Profiles

How the WSUS Tool Works

Module Update (WSUS) is unavailable after enabling AES protection for update catalogs

Active Directory

1. Read-Only Account

2. Machine Enrollment Account (Imaging/Mastering)

3. Script Execution Account (Medulla Agent Installation)