PATROL default account

PATROL requires a dedicated user account, known as the PATROL Agent default account. This topic provides information about the PATROL default account.

Related topics

Planning

Installing

Requirements for Windows environment

The PATROL Agent default account must exist in the Windows environment before you install PATROL. The PATROL Agent default account can be either a local or a domain account. In each case, the PATROL default account must be a member of the local administrators group of the computer where the agent will reside. Although you can use an existing Windows user account, BMC recommends that you create a separate Windows user account for PATROL.

Stand-alone workgroup servers must use the local user account as a PATROL Agent default account.
Servers that are trusted members of a domain can use either a local or a domain account.
Domain controllers must use a PATROL Agent default account that is also a domain account. The account on a domain controller must be a member of the domain administrators group.

Warning

Do not use a domain or local Administrator account as the PATROL default account. Such account usage causes files that are created by PATROL to be owned by the Administrator, which could result in security or file access problems.

Requirements for UNIX environment

BMC recommends that you follow these guidelines while creating the UNIX account:

The account .login, .profile, .cshrc, and .kshrc files should contain as little user customization as possible. Specifically, use no aliases, set the prompt to the default, and use no commands in these files that change the umask setting. The recommended umask setting for the installation account is 022.
Do not use root to install PATROL products because this might create security risks.
Ensure that the account has permission to create directories in the directory where you will install PATROL products. The account that you use to install PATROL must have permission to write the installation logs to the $HOMEand /tmp directories on the computer where you are installing products.

Agent functions

The PATROL Agent uses the PATROL Agent default account to perform the following functions:

Collect information from performance counters
Collect information from the Windows event log
Self-tune for peak performance and non-intrusive use of the processor
Access system-level information
Make debug-level output available from the PATROL KM applications
Access the command interpreter for operating-system-level commands
Create and remove processes in the process table for collecting performance data

Advanced user rights

To enable the PATROL Agent to perform these advanced functions, the PATROL Agent default account might need the advanced user rights shown in the following table. These rights are not used during installation, but the PATROL Agent requires these rights to operate and perform certain functions after installation. The installation utility automatically grants these rights to the PATROL Agent default account. The installation utility prompts you to select the roles performed by the computer on which you are installing BMC Software products (the target computer). Before beginning the installation process, review the following definitions of the roles that are presented in the installation utility and decide which of these roles is performed by each computer in your environment.

Advanced user rights

Advanced User Right	Agent Dependency
Act as part of operating system	Enables PATROL to perform as a secure, trusted part of the operating system
Debug programs	Enables PATROL to debug low-level objects
Increase quotas	Enables PATROL to increase object quotas
Log on as a service	Allows the PATROL Agent to be started as a service so that it will start on system boot
Log on locally (Windows 2000) Allow logon locally (Windows 2003)	Allows PATROL to log on at the computer Note If Log on locally rights is not assigned to the PATROL Agent default account, then PATROL KM for Microsoft Windows Process and Services will not work.
Manage auditing and security log	Allows PATROL to monitor the "Security" event log
Profile system performance	Enables PATROL to use the Windows profiling capabilities
Replace a process level token	Enables PATROL to modify a security access token for a process

Administrative rights

BMC recommends that you make the PATROL Agent default account a member of the local Administrators group of the computer where the agent will reside. On a domain controller, BMC recommends that you make the account a member of the domain Administrators group.

However, you can choose to remove the PATROL Agent default account from the local or domain Administrators group. You could also remove the advanced user rights described in the following table. However, if you do so, the PATROL Agent cannot perform all of its tasks. The following table shows the PATROL for Microsoft Windows Servers tasks that the Agent cannot perform when the following restrictions are placed on the PATROL Agent default account:

The account is in a domain user group or local user group, but is not in the domain or local administrators group.
The account does not have all of the advanced user rights noted in the following table.

Removing rights and admin group membership from the PATROL Agent

KM	Effect	Workaround and notes
PATROL KM for Microsoft Cluster Server	The cluster KM does not function. No authentication to the cluster can be performed.	To be fully functional, the agent outside of the cluster can be in the admin group and contain all of its rights, while the agents within the cluster are removed from the administrators group and do not have the seven advanced user rights. The monitoring user account does not have theLogon As Batch Job user right.
PATROL KM for Windows Operating System	Restart Service recovery action does not execute. Message in system output window indicates access denied and inability to restart service.	The PATROL Agent default account must be in the local or domain Admins group. Granting a specific user right is not a valid workaround.
	If the PATROL Agent default account lacks the Debug Programs right, cannot monitor the status of processes.	Add the Debug Programs right to the PATROL Agent default account. Membership in the Administrators group not needed.
	The Terminate Process and Restart Process recovery actions do not work.	Add the Debug Programs right to the PATROL Agent default account.
	Backup Event Log and Clear Event Log recovery action does not work.	Add the user right Backup files and directories to the PATROL Agent default account. For the security event log, you must also add the user right Manage auditing and security log.
	Logical disk quotas and mount points do not work.	The PATROL Agent default account must be in the local or domain Admins group.
	The Clean Temporary Directories recovery action does not execute.	Assign read/write permissions on the temp directory to the PATROL Agent Default account.
	Unable to monitor the security event log. The NT_EVENTLOGapplication displays a message in the _DiscoveryStatusparameter.	Add the user right Manage auditing and security log to the PATROL Agent default account.
	Blue Screen KM unable to detect a blue screen condition.	The PATROL Agent default account must be in the local or domain Admins group. Granting a specific user right is not a valid workaround.
PATROL KM for Microsoft Windows Domain Services	Shares are not monitored. Parameters are not discovered.	Add the PATROL Agent default account to the Account Operators, Print Operators, or Server Operators built-in group.
	When the number of connections increase, the Share recovery action associated with the ShConnPercent parameter does not work.	Add the PATROL Agent default account to the Account Operators, Print Operators, or Server Operators built-in group.
	DFSRootReplica does not work when checking alternate domain controller. Parameters are unavailable and in alarm.	Grant the advanced user right log on locally to the PATROL Agent default account.
	On Windows 2003, theNT_DHCP application class does not work.	Add the PATROL Agent default account to the DHCP Users group.
PATROL KM for Microsoft Windows Active Directory	AD disk space used does not work.	Grant the PATROL Agent default account the following permission on the DSA Working Directory and its sub directories: List Folder Contents/Read Data. The KM reads the registry to obtain the DSA Working Directory. It needs access to the following registry keys and subkeys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS
	Configuration NC replication checking does not work.	Grant the PATROL Agent default account sufficient Active Directory permissions to create a container object and child container objects in the configuration naming context of the forest in which the domain controller resides. Grant the PATROL Agent default account permission to Create Container Objects in the Configuration NC and to give Full Control to the created container object and its children.
	Domain NC replication checking does not work.	Grant the PATROL Agent default account sufficient Active Directory permissions to create a container object and child container objects in the domain naming context of the domain in which the domain controller resides. Grant the PATROL Agent default account permission to Create Container Objects in each Domain NC and to give Full Control to the created container object and its children.

Console connection accounts

BMC recommends that you create a separate account, in addition to the PATROL default account, for PATROL console operators who do not need administrative privileges. Operators can use this account to connect the console to the agent. However if you want to configure KMs from the console, the console connection account might need administrative rights. For more information, see Requirements for configuring from the PATROL Console Open link .

Note

If you are not using the PATROL Agent default account as a Console connection account, you will need to have the Log on locally account rights for the connection account. PATROL Agent first tries to log on locally; if this fails, it tries to connect to the console by using the network login rights.