Running as a non-administrator user

You can run the monitoring agent for Microsoft SQL Server agent as a non-administrator user.

About this task

The Microsoft SQL Server agent can be run as a non-administrator user from Domain Users group.

Procedure

  1. Start Windows application Active Directory Users and Computers and create a domain user.

    • Make sure that the new user is a member of the Domain Users group.
    • Make sure that the SQL Server is a member of Domain Computers.

  2. Add the newly created domain user in the SQL Server Login user group. The domain user should have sysadmin SQL Server role permission on the SQL Server. For more information, see the Creating a user and granting permissions topic in the IBM Cloud Application Performance Management Documentation..

  3. Log on to the SQL Server as the domain administrator.

  4. Grant Modify permission to every drive that the Microsoft SQL Server agent accesses. Complete the following procedures to propagate the permission to all sub directories:

    a. Go to My Computer.

    b. Right-click the drive.

    c. Click the Security tab.

    d. Add the newly created user.

    e. Give Modify permission to the newly created user.

    f. Click OK. This procedure takes a few minutes to apply permission to all sub directories.

  5. By using the Windows Registry, grant read access to HKEY_LOCAL_MACHINE, and propagate the settings. Complete the following steps to propagate the settings:

    a. Right-click the HKEY_LOCAL_MACHINE directory and select Permissions.

    b. Add the newly created user.

    c. Select the newly created user.

    d. Select the Allow Read check box.

    e. Click OK. This procedure takes a few minutes to propagate the settings to the entire HKEY_LOCAL_MACHINE tree.

  6. By using the Windows Registry, grant the agent-specific registry permissions according to the following list.

    • If you installed a 32-bit agent on a 32-bit operating system, grant full access to the KEY_LOCAL_MACHINE\SOFTWARE\IBMMonitoring directory, and then propagate the settings.
    • If you installed a 32-bit agent on a 64-bit operating system, grant full access to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Candle directory, and then propagate the settings.
    • If you installed a 64-bit agent on a 64-bit operating system, grant full access to the KEY_LOCAL_MACHINE\SOFTWARE\IBMMonitoring directory, and then propagate the settings.

    Complete the following steps to propagate settings:

    a. Right-click the directory for which you have full access and select Permissions. b. Add the newly created user. c. Select the newly created user. d. Select the Allow Full Control check box. e. Click OK. This procedure takes a few minutes to propagate the settings to the entire KEY_LOCAL_MACHINE\SOFTWARE\IBMMonitoring tree.

  7. Add a new Domain User to the Performance Monitor Users group.

  8. Verify that Domain Users are members of the Users group.

  9. Grant the following permissions to the Windows directory to run as a non-administrator user:

    • If a 32-bit agent is installed on a 32-bit operating system, grant read and write access to the OS_installation_drive:\Windows\system32 directory
    • If a 32-bit agent is installed on a 64-bit operating system, grant read and write access to the OS_installation_drive:\Windows\SysWOW64 directory

    Note: Permissions for Windows directory are not necessary for Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, Windows Server 2012 R2, Windows Server 2016.

  10. Grant Modify permission to the SQL Server data file and log file:

    • The default path of the SQL Server data file is SQLServer_root_dir\DATA, where SQLServer_root_dir is the root directory of the SQL Server instance. For example, if the root directory of the SQL Server instance is C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL, the data file path is C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA.
    • The default path of the SQL Server log file is SQLServer_root_dir\LOG, where SQLServer_root_dir is the root directory of the SQL Server instance. For example, if the root directory of the SQL Server instance is C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL, the log file path is C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG.

  11. Grant full permissions to the Candle_Home directory. The default path is C:\IBM\ITM.

  12. Apply local security permissions by referring to Local Security Policy permissions.
  13. Restart the SQL Server to ensure that local security permissions are applied effectively.

  14. Change the logon settings for the SQL Server agent services to the non-administrator user by completing the following steps:

    a. Click Start > Administrative Tools > Services.

    b. Right-click the Monitoring Agent For SQL Server instance_name, and click Properties. The SQL Service Properties window opens.

    c. Click Log On tab.

    d. Click This account and type the user name.

    e. In the Password and Confirm Password fields, enter the password, and click OK.

    f. Repeat steps b to e for the Monitoring Agent For SQL Server Collector instance_name, where instance_name is the Microsoft SQL Server instance name.

  15. Local Security Policy permissions