To install PATROL for Microsoft Windows Servers, a dedicated PATROL OS account is required. This topic provides details of the requirements and steps to set up such an account for Microsoft Windows and UNIX platforms.
In a Windows environment, PATROL requires a dedicated user account, known as the PATROL default account, that must be created before you install PATROL. The PATROL default account can be either a local or a domain account.
Stand-alone workgroup servers must use a local user account as a PATROL default account. Servers that are trusted members of a domain might use either a local or domain account. In each case, the PATROL default account must be a member of the local administrators group of the computer where the agent will reside.
PATROL default accounts on domain controllers should be only domain accounts. The account on a domain controller must be a member of the domain administrators group.
Although you can use an existing Windows user account, BMC recommends that you create a separate Windows user account for PATROL.
Warning
Do not use a domain or local Administrator account as the PATROL default account. Such account usage causes files that are created by PATROL to be owned by the Administrator, which could result in security or file access problems.
BMC Software recommends that the UNIX account that you create meet the following conditions:
PATROL requires a dedicated user account, known as the PATROL Agent default account, in the Windows environment. The PATROL Agent default account must exist in the Windows environment before you install PATROL. The PATROL Agent default account can be either a local or a domain account:
Note
If you are not using the PATROL Agent default account as a Console connection account, you will need to have the Log on locally account rights for the connection account. PATROL Agent first tries to log on locally; if this fails, it tries to connect to the console by using the network login rights.
The PATROL Agent uses the PATROL Agent default account to perform the following KM functions:
To enable the PATROL Agent to perform these advanced functions, the PATROL Agent default account might need the advanced user rights shown in the following table. These rights are not used during installation, but the PATROL Agent requires these rights to operate and perform certain functions after installation. The installation utility automatically grants these rights to the PATROL Agent default account.
Advanced user rights
Advanced User Right | Agent Dependency |
---|---|
Act as part of operating system | Enables PATROL to perform as a secure, trusted part of the operating system |
Debug programs | Enables PATROL to debug low-level objects |
Increase quotas | Enables PATROL to increase object quotas |
Log on as a service | Allows the PATROL Agent to be started as a service so that it will start on system boot |
| Allows PATROL to log on at the computer |
| Allows PATROL to monitor the "Security" event log |
Profile system performance | Enables PATROL to use the Windows profiling capabilities |
Replace a process level token | Enables PATROL to modify a security access token for a process |
BMC recommends that you make the PATROL Agent default account a member of the local Administrators group of the computer where the agent will reside. On a domain controller, BMC recommends that you make the account a member of the domain Administrators group.
However, you can choose to remove the PATROL Agent default account from the local or domain Administrators group. You could also remove the advanced user rights described in the following table. However, if you do so, the PATROL Agent cannot perform all of its tasks. The following table shows the PATROL for Microsoft Windows Servers tasks that the Agent cannot perform when the following restrictions are placed on the PATROL Agent default account:
Removing rights and admin group membership from the PATROL Agent
KM | Effect | Workaround and notes |
---|---|---|
PATROL KM for Microsoft Cluster Server | The cluster KM does not function. No authentication to the cluster can be performed. | To be fully functional, the agent outside of the cluster can be in the admin group and contain all of its rights, while the agents within the cluster are removed from the administrators group and do not have the seven advanced user rights. The monitoring user account does not have the Logon As Batch Job user right. |
Although you can use an existing Windows user account, BMC recommends that you create a separate Windows user account for PATROL.
Warning
Do not use a built-in Windows domain or local Administrator account as the PATROL default account. Such account usage causes files created by PATROL to be owned by the Administrator, which could result in security or file access issues.
The PATROL KM for Microsoft Cluster Server can be configured to use an external cluster-level agent or an internal cluster-level agent (CLA). The account the KM uses to connect to and manage a cluster depends upon which configuration you use. Regardless of which configuration you use, however, the configuration must have the following characteristics:
An external CLA configuration requires a user-defined cluster account separate from the PATROL default account. This account must have cluster administrative privileges. The PATROL MCS Monitor Service (McsService.exe ) also runs under this account.
An internal CLA configuration can use either a separate user-defined cluster account (a domain account with cluster administrative privileges) or, when certain requirements are met, it can use the PATROL default account.
When installed, if the PATROL KM for Microsoft Cluster Server does not discover a separate cluster account, it checks the PATROL agent default account for the following required characteristics:
If these requirements are in place, the Cluster KM uses the PATROL agent default account to access the cluster and to communicate with the agents running on all other nodes in the cluster, and the PATROL MCS Service runs under this account.
This account information is not replicated to other nodes so, if you want the Cluster KM to use the PATROL agent default account to monitor the cluster, these requirements must exist for every PATROL agent default account on every node in the cluster.
To discover the PATROL KM for Microsoft Cluster Server you require the Logon as a batch job privilege for cluster account and PATROL Default Account.
BMC recommends that you create a separate account, in addition to the PATROL default account, for PATROL console operators who do not need administrative privileges. Operators can use this account to connect the console to the agent. If you want to configure KMs from the console, however, the console connection account might need administrative rights. For more information, see Requirements for configuring from the PATROL Console.