Issue:
A LANDesk administrator is questioning the necessity of the CBA_Anonymous account on client machines and is considering its removal.
What is it?
The CBA_Anonymous account is a local guest account created on any Windows computer that has a Landesk Agent. When your LDMS Core needs to communicate with an agent, it calls the CBA_Anonymous local account on the agent computer, to perform an LDPing on the client web service. The LDPing returns the hostname and Landesk inventory ID of the Agent computer as xml. This information is verified to authenticate the client before executing any task.
For more information, please click on the following link:
Landesk Agent Authentication using the CBA_Anonymous local guest account
Solution:
The removal of CBA_Anonymous has proven to exhibit various errors within various environments and may cause a fault in your services.
Please keep in mind that in versions 9.6 SP3 and later, the CBA_Anonymous account is no longer in the guest group, but is defaulted to the user's group. Please verify the version of your LANDesk agents if this is not the case.
For those machines 9.6 SP2 or earlier, the only known work around, which is unsupported, is to add CBA_Anonymous to the users group. You will however be required to ensure that the local policy "Deny Logon as Batch Job" does not contain the guests group. It can be found here:
Local Computer Policy>> Computer Configuration>> Windows Settings>> Security Settings>> User Rights Assignment