×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Important

   

This documentation space contains information about PATROL Agents when deployed in a TrueSight Operations Management environment. If you are a BMC Helix Operations Management user, see PATROL Agent 21.3 for BMC Helix Operations Management. Open link

BMC PATROL Agent 21.3 Planning

Installation account

This topic contains information on account details and configuration.

Requirements

Install PATROL for Microsoft Windows Servers on each computer by using the dedicated PATROL OS account under which you installed the PATROL Console or PATROL Agent.

If you do not already have a dedicated PATROL account, you can use this topic to learn how to set up such an account for Microsoft Windows and UNIX platforms.

Requirements for an installation account in a Windows environment

In a Windows environment, PATROL requires a dedicated user account, known as the PATROL default account, that must be created before you install PATROL. The PATROL default account can be either a local or a domain account.

Stand-alone workgroup servers must use a local user account as a PATROL default account. Servers that are trusted members of a domain might use either a local or domain account. In each case, the PATROL default account must be a member of the local administrators group of the computer where the agent will reside.

PATROL default accounts on domain controllers should be only domain accounts. The account on a domain controller must be a member of the domain administrators group.

Although you can use an existing Windows user account, BMC recommends that you create a separate Windows user account for PATROL.

Warning

Do not use a domain or local Administrator account as the PATROL default account. Such account usage causes files that are created by PATROL to be owned by the Administrator, which could result in security or file access problems.

Requirements for an installation account in a UNIX environment

BMC Software recommends that the UNIX account that you create meet the following conditions:

  • The account .login, .profile, .cshrc, and .kshrc files should contain as little user customization as possible. Specifically, use no aliases, set the prompt to the default, and use no commands in these files that change the umask setting. The recommended umask setting for the installation account is 022.
  • Do not use root to install PATROL products because this might create security risks.
  • Be sure the account has permission to create directories in the directory where you will install PATROL products.
    The account that you use to install PATROL must have permission to write the installation logs to the $HOME and /tmp directories on the computer where you are installing products.

Setting PATROL installation account

The following information supports you in creating the PATROL installation account for Windows.

PATROL Agent default account

PATROL requires a dedicated user account, known as the PATROL Agent default account, in the Windows environment. The PATROL Agent default account must exist in the Windows environment before you install PATROL. The PATROL Agent default account can be either a local or a domain account:

  • Stand-alone workgroup servers must use a local user account as a PATROL Agent default account.
  • Servers that are trusted members of a domain can use either a local or a domain account.
  • Domain controllers must use a PATROL Agent default account that is also a domain account.

Note

If you are not using the PATROL Agent default account as a Console connection account, you will need to have the Log on locally account rights for the connection account. PATROL Agent first tries to log on locally; if this fails, it tries to connect to the console by using the network login rights.

KM functions performed

The PATROL Agent uses the PATROL Agent default account to perform the following KM functions:

  • Collect information from performance counters
  • Collect information from the Windows event log
  • Self-tune for peak performance and non-intrusive use of the processor
  • Access system-level information
  • Make debug-level output available from the PATROL KM applications
  • Access the command interpreter for operating-system-level commands
  • Create and remove processes in the process table for collecting performance data

Advanced user rights

To enable the PATROL Agent to perform these advanced functions, the PATROL Agent default account might need the advanced user rights shown in the following table. These rights are not used during installation, but the PATROL Agent requires these rights to operate and perform certain functions after installation. The installation utility automatically grants these rights to the PATROL Agent default account.

Advanced user rights

Advanced User Right

Agent Dependency

Act as part of operating system

Enables PATROL to perform as a secure, trusted part of the operating system

Debug programs

Enables PATROL to debug low-level objects

Increase quotas

Enables PATROL to increase object quotas

This privilege determines who can change the maximum memory that can be consumed by a process.

Log on as a service

Allows the PATROL Agent to be started as a service so that it will start on system boot

Log on locally

Allows PATROL to log on at the computer

Manage auditing and security log

Allows PATROL to monitor the "Security" event log

Profile system performance

Enables PATROL to use the Windows profiling capabilities

Replace a process level token

Enables PATROL to modify a security access token for a process

Administrative rights

BMC recommends that you make the PATROL Agent default account a member of the local Administrators group of the computer where the agent will reside. On a domain controller, BMC recommends that you make the account a member of the domain Administrators group.

However, you can choose to remove the PATROL Agent default account from the local or domain Administrators group. You could also remove the advanced user rights described in the following table. However, if you do so, the PATROL Agent cannot perform all of its tasks. The following table shows the PATROL for Microsoft Windows Servers tasks that the Agent cannot perform when the following restrictions are placed on the PATROL Agent default account:

  • The account is in a domain user group or local user group, but is not in the domain or local administrators group.
  • The account does not have all of the advanced user rights noted in the following table.

Removing rights and admin group membership from the PATROL Agent

KMEffectWorkaround and notes
PATROL KM for Microsoft Cluster ServerThe cluster KM does not function. No authentication to the cluster can be performed.To be fully functional, the agent outside of the cluster can be in the admin group and contain all of its rights, while the agents within the cluster are removed from the administrators group and do not have the seven advanced user rights. The monitoring user account does not have the Logon As Batch Job user right.
PATROL KM for Windows Operating SystemRestart Service recovery action does not execute. Message in system output window indicates access denied and inability to restart service.The PATROL Agent default account must be in the local or domain Admins group. Granting a specific user right is not a valid workaround.
If the PATROL Agent default account lacks the Debug Programs right, cannot monitor the status of processes.Add the Debug Programs right to the PATROL Agent default account. Membership in the Administrators group not needed.
The Terminate Process and Restart Process recovery actions do not work.Add the Debug Programs right to the PATROL Agent default account.
Backup Event Log and Clear Event Log recovery action does not work.Add the user right, Backup files and directories to the PATROL Agent default account. For the security event log, you must also add the user right Manage auditing and security log.
Logical disk quotas and mount points do not work.The PATROL Agent default account must be in the local or domain Admins group.
The Clean Temporary Directories recovery action does not execute.Assign read/write permissions on the temp directory to the PATROL Agent Default account.
Unable to monitor the security event log. The NT_EVENTLOG application displays a message in the _DiscoveryStatus parameter.Add the user right, Manage auditing and security log to the PATROL Agent default account.
Blue Screen KM unable to detect a blue screen condition.The PATROL Agent default account must be in the local or domain Admins group. Granting a specific user right is not a valid workaround.
PATROL KM for Microsoft Windows Domain ServicesShares are not monitored. Parameters are not discovered.Add the PATROL Agent default account to the Account Operators, Print Operators, or Server Operators built-in group.
When the number of connections increase, the Share recovery action associated with the ShConnPercent parameter does not work.Add the PATROL Agent default account to the Account Operators, Print Operators, or Server Operators built-in group.
DFSRootReplica does not work when checking alternate domain controller. Parameters are unavailable and in alarm.Grant the advanced user right log on locally to the PATROL Agent default account.
NT_DHCP application class does not work on Windows 2008 and later versions.Add the PATROL Agent default account to the DHCP Users group.
PATROL KM for Microsoft Windows Active DirectoryAD disk space used does not work.

Grant the PATROL Agent default account the following permission on the DSA Working Directory and its sub directories: List Folder Contents/Read Data.

The KM reads the registry to obtain the DSA Working Directory. It needs access to the following registry keys and subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS

Configuration NC replication checking
does not work.

Grant the PATROL Agent default account sufficient Active Directory permissions to create a container object and child container objects in the configuration naming context of the forest in which the domain controller resides.

Grant the PATROL Agent defaultAccount permission to Create Container Objects in the Configuration NC and to give Full Control to the created container object and its children.

Domain NC replication checking does
not work.

Grant the PATROL Agent default account sufficient Active Directory permissions to create a container object and child container objects in the domain naming context of the domain in which the domain controller resides.

Grant the PATROL Agent defaultAccount permission to Create Container Objects in each Domain NC and to give Full Control to the created container object and its children.

Creating a separate account

Although you can use an existing Windows user account, BMC recommends that you create a separate Windows user account for PATROL.

Warning

Do not use a built-in Windows domain or local Administrator account as the PATROL default account. Such account usage causes files created by PATROL to be owned by the Administrator, which could result in security or file access issues.

The installation utility prompts you to select the roles performed by the computer on which you are installing BMC Software products (the target computer). Before beginning the installation process, review the following definitions of the roles that are presented in the installation utility and decide which of these roles is performed by each computer in your environment.

Roles Performed by Computers in the PATROL Architecture

The roles performed by computers in the PATROL Architecture are

  • Console Systems(also referred to as console computers) host user desktop applications such as consoles, user interfaces, viewers, and browsers. Select this option if the computer to which you are installing will perform any of the following roles:
    • Monitor, manage, and develop KMs on UNIX by using a PATROL Console for UNIX (PATROL 3. x architecture)
    • Monitor, manage, and develop KMs on Windows by using a PATROL Console for Windows (PATROL 3. x architecture)
  • Managed Systems(also referred to as agent computers) host software that manages the resources on the computer, such as a PATROL Agent, and PATROL Knowledge Modules. Select this option if the computer to which you are installing will perform any of the following roles:
    • Host a PATROL Agent
    • Host KMs and components that contain the knowledge that PATROL uses to monitor the resources on this computer

Console connection accounts

BMC recommends that you create a separate account, in addition to the PATROL default account, for PATROL console operators who do not need administrative privileges. Operators can use this account to connect the console to the agent. If you want to configure KMs from the console, however, the console connection account might need administrative rights. For more information, see Requirements for configuring from the PATROL Console.

Additional Information

For more information about the PATROL consoles, see the product's respective online help systems and the following documents:

Was this page helpful? Yes No Submitting... Thank you
Last modified by Rashmi Gokhale on Jul 21, 2020
planning accounts requirements

Comments

Log in or register to comment.

Directories and file structure
Security planning
© Copyright 2014 - 2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.