Agent installation and default treatment of the Windows Administrators group

When you install an RSCD agent on a Windows server, the installation program adds the Administrators group to the local policy called "Manage auditing and security log." This action is necessary to enable deployment capability to Windows servers. For more information, refer to http://support.microsoft.com/kb/888791.

The "Manage auditing and security log" policy is available on the Windows Control Panel at Administrative Tools/Local Security Policy/Security Settings/Local Policies/User Rights Assignment/Manage auditing and security log.

Security concerns

For security reasons, some organizations do not want to add the Administrators group to the "Manage auditing and security log" policy. The following procedure addresses those concerns by describing how to remove Administrators from the local policy. However, if you perform this procedure, you must perform additional steps to enable patching and other deployment capabilities. For more information, see Enabling-deployment-on-Windows-servers.

You must perform this procedure on each Windows server where you want to modify the local policy.

To remove the Administrators group from the local policy

  1. On a Windows server, create the following binary registry key and set its value to 0:

       HKEY_LOCAL_MACHINE\SOFTWARE\BladeLogic\RSCD Agent\GrantMASL
  2. Remove the Administrators group from the "Manage auditing and security log" policy.
  3. To enable deployment capabilities, including patch deployment, on the server, perform the procedure described in Enabling-deployment-on-Windows-servers.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*