IBM Support

Corrections and extensions to Windows OS Agent Installation and Configuration Guide Version 6.3 Fix Pack 2

Preventive Service Planning


Abstract

This technote is intended to collect all the changes to the last published version of the Windows OS Agent Installation and Configuration Guide until its next refresh. The last version of the Windows OS Agent Installation and Configuration Guide is Version 6.3 Fix Pack 2 and it is available at:
https://www-01.ibm.com/support/knowledgecenter/SSTFXA_6.3.0.2/com.ibm.itm.doc_6.3fp2/winosagent632_installconfig.pdf?lang=en

Content

1) In Chapter 2. Agent installation and configuration, at pages 9-11 there is the procedure to run the agent as a non-Administrator user.
To grant user the authority to manage system services in Windows there are 3 available alternatives: using Group Policy, Security Templates or Subinacl.exe.
The use of subinacl.exe is not explained but it is the most simple and effective.

SubInACL is a Microsoft tool available at: http://www.microsoft.com/en-us/download/details.aspx?id=23510

After having installed it, open a command-line window and type the following commands:


subinacl /service KNTCMA_Primary /grant=<user>
subinacl /service KNTCMA_Watchdog /grant=<user>
subinacl /service KNTCMA_FCProvider /grant=<user>

where <user> is the user name used for running the Windows OS Agent as non-administrator.

2) In Chapter 2. Agent installation and configuration, at page 9-11 there is the procedure to run the agent as a non-Administrator user. On Windows Server 2012 and Windows 10 it is necessary to perform another step to grant user the authority to manage system services in Windows: Add the Log on as a service right to an account.

The procedure, found on the Microsoft web site, is the following:


1. Open Local Security Policy (in Administrative Tools).
2. In the console tree, double-click Local Policies, and then click User Rights Assignments.
3. In the details pane, double-click Log on as a service.
4. Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log on as a service right.

3) In Chapter 2. Agent installation and configuration, at pages 9-11 there is the procedure to run the agent as a non-Administrator user.
It describes some steps to allow running Windows OS Agent as non-administrator.
An additional step is required to enable the agent collecting data from the Security event log.
Unlike the other default Event logs (Applications, System, etc.), Security event log does not have "Authenticated Users" group granted with READ permission.
This prevents the agent from collecting data from Security event log.
If you are interested in collecting and monitoring events from Security event log, you need to perform the following steps:

1) Open Registry Editor (regedit)
2) Navigate to the folder: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\EventLog\Security
3) Right click and select Permission
4) Add the User Account used to start Windows OS Agent to the list of permitted users and grant READ access

An alternative method consists in granting READ access to the group "Event Log Readers" instead of the single user account, and then add the user account into the "Event Log Readers" group.

[{"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"ITM Agent Windows V6","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21970041