Join domain before or after software installation ?
When installing a piece of software - What determines if the installation needs to be done AFTER joining a machine to a domain? I can understand some configuration, security, GPO and operational issues, but just the installation of the software.
I have about 15 machines that get the same SCADA software as part of an upgrade and I wanted to get them done at home where the domain is not available. Then I can bring them in, join the domain and move forward from there.
Is there some general rule or known conditions that dictate this?
ASKER
OK that's a good start. Just user profile specifics eh? I don't think that is a factor.
It installs to Program Files
Each machine uses the same AD logon to start and run the app. App Startup is initiated by a shortcut in the Startup folder. Can be the global one or the profile one, Best I add that after join and put it on the profile.
The app then uses different AD credentials for it's internal logon process. Otherwise this app could run with or without domain. It couldn't care less. However this will be the first time I have used Domain security on this app and I'm uncertain how it will play into this.
But you say if it's not profile specific - all is good eh?
ASKER
Hmmm. well I could join them, then take them home and install and then bring back... I assume a cached credential will work?
In fact, the result will depend on the software.
Remotely, you will(should) be able to connect with accounts used that are in cache, and from local users.
Now, if you install a software as Office, you will be able to install it with no risks.
If you install something that installs or needs drivers, services, remote connections (To Internet or other, with or without proxy), you have a lot of chance to have a different behavior on the company network.
ASKER
Hmm, there is a service or two that gets installed... Is it best practice to make those run under a domain account and not local?
Services shouldn't have any direct interaction with a domain. So that shouldn't make any difference.
ASKER
But does "best security practices" say to use domain creds on a service so it can't run outside the domain? I've really no idea but it doesn't sound like a great idea at first glance.
But does "best security practices" say to use domain creds on a service so it can't run outside the domain?
most services use local system, local service or network service to run
there are some applications that need a different account but for the most part, it uses a local account not domain
ASKER
Thanks - I will see how this behaves both ways
depends on what the software does (if requiring to be on the domain) and if it installs in the system context (\program files) or user context (%userprofile%\appdata\local)