To install PATROL for Microsoft Windows Servers, a dedicated PATROL OS account is required. This topic provides details of the requirements and steps to set up such an account for Microsoft Windows and UNIX platforms.
Requirements for an installation account in a Windows environment
In a Windows environment, PATROL requires a dedicated user account, known as the PATROL default account, that must be created before you install PATROL. The PATROL default account can be either a local or a domain account.
Stand-alone workgroup servers must use a local user account as a PATROL default account. Servers that are trusted members of a domain might use either a local or domain account. In each case, the PATROL default account must be a member of the local administrators group of the computer where the agent will reside.
PATROL default accounts on domain controllers should be only domain accounts. The account on a domain controller must be a member of the domain administrators group.
Although you can use an existing Windows user account, BMC recommends that you create a separate Windows user account for PATROL.
Warning
Do not use a domain or local Administrator account as the PATROL default account. Such account usage causes files that are created by PATROL to be owned by the Administrator, which could result in security or file access problems.
Requirements for an installation account in a UNIX environment
BMC Software recommends that the UNIX account that you create meet the following conditions:
- The account .login, .profile, .cshrc, and .kshrc files should contain as little user customization as possible. Specifically, use no aliases, set the prompt to the default, and use no commands in these files that change the umask setting. The recommended umask setting for the installation account is 022.
- Do not use root to install PATROL products because this might create security risks.
- Be sure the account has permission to create directories in the directory where you will install PATROL products.
The account that you use to install PATROL must have permission to write the installation logs to the $HOME and /tmp directories on the computer where you are installing products.
PATROL Agent default account
PATROL requires a dedicated user account, known as the PATROL Agent default account, in the Windows environment. The PATROL Agent default account must exist in the Windows environment before you install PATROL. The PATROL Agent default account can be either a local or a domain account:
- Stand-alone workgroup servers must use a local user account as a PATROL Agent default account.
- Servers that are trusted members of a domain can use either a local or a domain account.
- Domain controllers must use a PATROL Agent default account that is also a domain account.
Note
If you are not using the PATROL Agent default account as a Console connection account, you will need to have the Log on locally account rights for the connection account. PATROL Agent first tries to log on locally; if this fails, it tries to connect to the console by using the network login rights.
KM functions performed
The PATROL Agent uses the PATROL Agent default account to perform the following KM functions:
- Collect information from performance counters
- Collect information from the Windows event log
- Self-tune for peak performance and non-intrusive use of the processor
- Access system-level information
- Make debug-level output available from the PATROL KM applications
- Access the command interpreter for operating-system-level commands
- Create and remove processes in the process table for collecting performance data
Advanced user rights
To enable the PATROL Agent to perform these advanced functions, the PATROL Agent default account might need the advanced user rights shown in the following table. These rights are not used during installation, but the PATROL Agent requires these rights to operate and perform certain functions after installation. The installation utility automatically grants these rights to the PATROL Agent default account.
Advanced user rights
Advanced User Right | Agent Dependency |
|---|---|
Act as part of operating system | Enables PATROL to perform as a secure, trusted part of the operating system |
Debug programs | Enables PATROL to debug low-level objects |
Increase quotas | Enables PATROL to increase object quotas |
Log on as a service | Allows the PATROL Agent to be started as a service so that it will start on system boot |
| Allows PATROL to log on at the computer |
| Allows PATROL to monitor the "Security" event log |
Profile system performance | Enables PATROL to use the Windows profiling capabilities |
Replace a process level token | Enables PATROL to modify a security access token for a process |
Administrative rights
BMC recommends that you make the PATROL Agent default account a member of the local Administrators group of the computer where the agent will reside. On a domain controller, BMC recommends that you make the account a member of the domain Administrators group.
However, you can choose to remove the PATROL Agent default account from the local or domain Administrators group. You could also remove the advanced user rights described in the following table. However, if you do so, the PATROL Agent cannot perform all of its tasks. The following table shows the PATROL for Microsoft Windows Servers tasks that the Agent cannot perform when the following restrictions are placed on the PATROL Agent default account:
- The account is in a domain user group or local user group, but is not in the domain or local administrators group.
- The account does not have all of the advanced user rights noted in the following table.
Removing rights and admin group membership from the PATROL Agent
| KM | Effect | Workaround and notes |
|---|---|---|
| PATROL KM for Microsoft Cluster Server | The cluster KM does not function. No authentication to the cluster can be performed. | To be fully functional, the agent outside of the cluster can be in the admin group and contain all of its rights, while the agents within the cluster are removed from the administrators group and do not have the seven advanced user rights. The monitoring user account does not have the Logon As Batch Job user right. |
Creating a separate account
Although you can use an existing Windows user account, BMC recommends that you create a separate Windows user account for PATROL.
Warning
Do not use a built-in Windows domain or local Administrator account as the PATROL default account. Such account usage causes files created by PATROL to be owned by the Administrator, which could result in security or file access issues.
PATROL KM for Microsoft Cluster Server account
The PATROL KM for Microsoft Cluster Server can be configured to use an external cluster-level agent or an internal cluster-level agent (CLA). The account the KM uses to connect to and manage a cluster depends upon which configuration you use. Regardless of which configuration you use, however, the configuration must have the following characteristics:
- Cluster account must be a domain account
- Cluster account must have access permission to the cluster
- All local agents in the cluster must use the same port number
An external CLA configuration requires a user-defined cluster account separate from the PATROL default account. This account must have cluster administrative privileges. The PATROL MCS Monitor Service (McsService.exe ) also runs under this account.
An internal CLA configuration can use either a separate user-defined cluster account (a domain account with cluster administrative privileges) or, when certain requirements are met, it can use the PATROL default account.
When installed, if the PATROL KM for Microsoft Cluster Server does not discover a separate cluster account, it checks the PATROL agent default account for the following required characteristics:
- It must be a domain account
- It must have permission to access the cluster
If these requirements are in place, the Cluster KM uses the PATROL agent default account to access the cluster and to communicate with the agents running on all other nodes in the cluster, and the PATROL MCS Service runs under this account.
This account information is not replicated to other nodes so, if you want the Cluster KM to use the PATROL agent default account to monitor the cluster, these requirements must exist for every PATROL agent default account on every node in the cluster.
To discover the PATROL KM for Microsoft Cluster Server you require the Logon as a batch job privilege for cluster account and PATROL Default Account.
Console connection accounts
BMC recommends that you create a separate account, in addition to the PATROL default account, for PATROL console operators who do not need administrative privileges. Operators can use this account to connect the console to the agent. If you want to configure KMs from the console, however, the console connection account might need administrative rights. For more information, see Requirements for configuring from the PATROL Console.
Related topic
Overview
Content Tools
Apps
Reporter Replacement
com.bmc.atlassian.bmc-util-plugin-2.section.label
Tasks