Enabling deployment on Windows servers

Under certain conditions, additional steps may be necessary to enable deployment capabilities, including patch deployment, on a Windows server. The steps that you perform vary, depending on whether you are using user privilege mapping or Windows user mapping to access the server requiring patches. For a full explanation of methods for accessing a server, see Impersonation and privilege mapping.

Conditions requiring this procedure

This procedure is necessary in any of the following situations:

  • Version 8.2.00 of the RSCD agent is newly installed (that is, no previous version of the agent has been installed). Note that 8.2.01 and later versions of the RSCD agent do not require the procedure.
  • The RSCD agent has been upgraded to version 8.2.00 from a previous release and you have removed the "Manage auditing and security log" policy from the local groups to which the mapped user belongs. The "mapped user" refers to the user account that is being used to deploy patches on this server. See Impersonation and privilege mapping for more information about assuming an identity on a server. Note that 8.2.01 and later versions of the RSCD agent do not require the procedure.
  • Version 8.2.01 or a later version of the RSCD agent is installed but you have removed the Administrators group from the "Manage auditing and security log" local policy, as described in Agent installation and default treatment of the Windows Administrators group.

To enable deployment when using user privilege mapping

  1. Create a new local group on the target server.
  2. Add the local group to the local policy called "Manage auditing and security log."
    On Windows 2003, this policy is available at /Security Settings/Local Policies/User Rights Policy/Manage auditing and security log. On Windows 2008, this policy is available at /Security Settings/Local Policies/User Rights Assignment/Manage auditing and security log.
  3. Add the mapped user who is performing patch deployment on the server to the new local group and the Administrators group.
  4. Optional. Remove the "Manage auditing and security log" policy from the Administrators group if your configuration policy does not allow this.

To enable deployment when using Windows user mapping

When using Windows user mapping to access a server, you must define an automation principal. To enable deployment on a server, add the user that is specified in the automation principal to the local policy called "Manage auditing and security log."

On Windows 2003, this policy is available at /Security Settings/Local Policies/User Rights Policy/Manage auditing and security log. On Windows 2008, this policy is available at /Security Settings/Local Policies/User Rights Assignment/Manage auditing and security log.

Optionally, you can remove the Administrators group from the "Manage auditing and security log" policy if your configuration policy does not allow this configuration.

Was this page helpful? Yes No Submitting... Thank you

Comments