By default on nodes with a Windows operating system, the HTTPS agent runs under the built-in Local System account. However, you can configure the HTTPS agent to run under a different user account. For example, you may want the agent to run under an account with fewer permissions than the Local System account. Alternatively, you may want the agent to run under an account that has permission to access remote systems over the network.
You must test whether the user account has appropriate rights to run the agent and manage the node correctly. You assign these user rights in the local Windows security settings on the node, or a group policy object in Active Directory. The user rights that you assign depend on your requirements. The user account may, for example, need the following user rights:
Manage auditing and security log
This allows the agent to shut down the system (for example, when a user starts the shutdown tool in the console).
This allows the agent to collect information about processes, and to kill processes (for example, when a user starts the list processes or kill process tool in the console).
Replace a process-level token.
Permissions for registry entries:
HKEY_LOCAL_MACHINE/Software/Hewlett-Packard/OpenView
The user must have full control for this registry key and all child objects.
HKEY_LOCAL_MACHINE/Software/Microsoft/WindowsNT/CurrentVersion/Perflib
The user must have permission to read this registry key for the agent to access performance data.
The following procedure assigns the above user rights to a user group that you specify. You may need to assign additional rights for the management tasks that you need to perform. For example:
If you want to be able to start a program using an automatic
command, operator-initiated command, tool, or scheduled task, the
agent user must have permission to start that program.
Additionally, you must set the parameter
OPC_PROC_ALWAYS_INTERACTIVE=NEVER in the eaagt
namespace. You can configure this parameter in the HTTPS agent
installation defaults or using ovconfchg
or
ovconfpar
at a command prompt. This setting is applies
to logfile encapsulator pre-processing and scripts that monitor
agent invokes.
Optional. Create a new user for the agent to run under.
Optional. Create a new group, and add the user as a member of this group.
On the node, open a command prompt, and type the following command:
cscript
"%OvInstallDir%\bin\ovswitchuser.vbs"-existinguser
<DOMAIN\USER> -existinggroup <GROUP>
-passwd <PASSWORD>
NOTE:
The command assigns the user rights required for basic agent
functionalityat group level, not to the individual user. Therefore,
take care when you select the group to use. It is advisable to
create a new group specifically for the agent user, and add the
agent user as a member.
Type the following commands:
ovc -kill
ovc -start
The control service and agent processes now run as the user that you specified.
Related Topics: