Change the default user of DCE agents on Windows nodes

By default on managed nodes with a Windows operating system, the DCE agent runs under the Local System account. However, you can configure the DCE agent installation defaults so that the agent runs under a different user account. For example, you may want the agent to run under an account with fewer permissions to the Local System account. Alternatively, you may want the agent to run under a domain account that gives the agent permission to access remote systems.

You must test whether the user account has appropriate rights to run the agent and manage the node correctly. You assign these user rights in the local Windows security settings on the node, or a group policy object in Active Directory. The user rights that you assign depend on your requirements. You may, for example, consider assigning the following user rights:

• Access this computer from the network.

  Required for installation.

• Act as part of the operating system.

  Required to run actions as a user other than the agent user.

• Log on as a service.

  Required to run the agent as a service.

• Adjust memory quotas for a process (also called Increase quotas in some versions of Windows)

  Required for a full switch user with password to get network access when executing tools.

• Manage auditing and security log.

  Required during the execution of actions.

• Replace a process-level token.

  Required for the user switch in the action agent.

• Shut down the system.

  Required to shutdown the managed node.

• Additional rights for the management tasks that you need to perform. For example:
  • If you want be able to monitor a log file using a policy, the agent user must have permission to read that log file.
  • If you want to be able to start a program using an automatic command, the agent user must have permission to start that program.

NOTE:
This procedure changes only the installation defaults in the DCE agent package on the management server. To apply changes to nodes where the DCE agent is already installed, you must redeploy the agent. The redeployed agent runs under the new user account. Remove the old agent user account manually if you no longer need it.

To change the default user of DCE agents

1. Log in to the management server with an account that is a member of the HPOM administrators group. Open a command prompt.
2. Type cd "%OvInstallDir%\bin\OpC\install" and then press Enter.
3. To encrypt the DCE agent user's password type opcpwcrpt <password> and then press Enter. Copy the output.
4. Type SetMgmtServer /user <user> /password <encrypted password> and then press Enter.

   • Replace <user> with the name of the user, for example AgentUser. The name must not contain spaces.

     You can specify the name of a existing domain user, but do not specify the domain (for example, do not specify DOMAIN\account or account@domain). The domain user must belong to the same domain as the node, and no local user with the same name must exist on the node.

     If you specify a user that does not exist, the agent installation creates a local user with the specified name on each node. The new user is a member of the local Administrators group.

   • Replace <encrypted password> with the output from opcpwcrpt, which you copied.

     Caution:
     If the specified account already exists on a node, but the default password in the agent package does not match, the agent installation removes the existing account and recreates it with the same name but a different internal user ID.

Related Topics:

• Configure DCE agent installation defaults
• Change the user of an HTTPS agent on a Windows node