Resolving user ID account on Windows operating systems

IBM Workload Scheduler needs to resolve the user ID account on Windows® operating systems to verify the security information.

Windows users can be classified as domain users or local users. Domain users are defined in the domain controller, while local users are defined in the workstations of the network.

For a domain user, IBM Workload Scheduler requests the primary domain controller (or any domain controller for Windows 2000 or 2003 Active Directory), to identify an available domain controller. It then uses this domain controller identity to type out the structure for the user.

For a local user, IBM Workload Scheduler makes a request to the local workstation. Generally, IBM Workload Scheduler specifies two cases: one for the IBM Workload Scheduler user and one for the streamlogon user.

The following is a list of steps that IBM Workload Scheduler performs to authenticate Windows users, and the APIs involved:
  1. IBM Workload Scheduler looks up the user in the reference domain. For the domain user, the reference domain is the name of the Windows network. For the local user, it is the name of the local workstation.

    API: LookupAccountName.

  2. If the user is a domain user, IBM Workload Scheduler asks the primary domain controller for any domain controller that is available to resolve the account for the user in the reference domain.

    API: NetGetAnyDCName for Windows or DsGetDcName for Windows 2000 or 2003.

  3. IBM Workload Scheduler requests the domain controller (or the local workstation if the user is local) for information about the user.
    API: NetUserGetInfo.
    Note: On Windows 2000 and 2003, the permissions for this API are contained in the BUILTIN\"Pre-Windows 2000 compatible access" group.