Start Windows node security setup


Before HPOM for Windows 8.00, to deploy an agent to nodes with the Windows operating system, you had to add a domain group (called HP-OVE-GROUP by default) to the node's local administrators group. You could do this manually or using the Windows Node Security Setup dialog box. On the management server, the policy management and deployment (PMAD) service ran under an account that was a member of this domain group, and therefore had administrative access the nodes.

HPOM now enables you to install the HTTPS agent using the credentials that you are currently logged in to Windows with. This is called impersonation, because the PMAD service runs under it's own user account (called HP-OVE-Deleg-User by default), but uses your credentials to access to the nodes. (This requires that the PMAD user is trusted for delegation in Active Directory, unless your console runs directly on the management server.)

Alternatively, you can now also install the HTTPS agent using the credentials of a user who already has access to the node. For example, you can specify the user name and password of the node's local administrator.

Therefore, it is no longer necessary to add a domain group to the node's local administrators group. Nevertheless, you can still give the PMAD user administrative access to nodes. This may be useful if you need to install DCE agents on Windows nodes, or so that console users who do not otherwise have administrative access can install agents.

HPOM enables you to add the PMAD user to the nodes' local administrators group in the following ways:

Alternatively, if you are installing DCE agents on Windows nodes, HPOM starts the Windows node security setup automatically.

Note NOTE:
Windows node security setup can add the PMAD user to nodes in the same domain as the user that you are currently logged in to Windows with. For nodes in untrusted domains or workgroups, you must manually create the PMAD user in the nodes' local administrators group. The management server uses pass-through authentication to access these nodes. Therefore, you must ensure that the name and password of user that you create are identical to those that the PMAD service runs under.

To start Windows node security setup for specific nodes

  1. Log in to Windows with an account that has administrative rights on the nodes, and open the console.
  2. In the console tree, click ToolsArrowHP Operations Manager Tools. A list of tools appears in the details pane.
  3. Right-click Windows Node Security Setup and then click All TasksArrowLaunch Tool.... The Edit Parameters dialog box opens.
  4. Select the check boxes for the nodes and node groups that you want to configure, and then click OK. The Windows Node Security dialog box opens.

To start Windows node security setup for automatically for new nodes

  1. In the console tree, right-click Operations Manager, and then click ConfigurearrowServer.... The Server Configuration dialog box opens.

  2. Select the Expert Mode check box.

  3. Click Namespaces, and then click Policy Management and Deployment. A list of values appears.

  4. Set the value of Enable the old node security setup dialog for nodes to True. The Windows Node Security Setup dialog box opens automatically when you install an agent remotely on a Windows node.

The Windows Node Security Setup dialog box displays the following information:

If the attempt to add the user fails for any node, click the node, and then click Details. An error message appears, which explains the cause of the failure and suggests actions to correct the problem. Examples of the problems that can occur are as follows:

Related Topics: