Running the Monitoring Agent for Windows OS as a non-root user

Edit online

You can run the Windows OS agent as a non-root user. However, some functions are unavailable.

When you run the Windows OS agent as a non-root user, some functions are unavailable in the following attribute groups, if they are owned solely by the administrator account:
  • Registry
  • File Trend
  • File Change

Remote deployment of other agents is not available because administrator rights are required to install the new agents.

For Agent Management Services, the watchdog cannot stop or start any agent that it does not have privileges to stop or start.

To create a non-root user, create a new Limited (non-root) user and set up registry permissions for the new user as in the following example:
  • Full access to HKEY_LOCAL_MACHINE\SOFTWARE\Candle
  • Read access to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

The user that starts the Monitoring Agent for Windows OS – Primary service must have rights to manage the Monitoring Agent for Windows OS - Watchdog service. The user that starts the Monitoring Agent for Windows OS - Watchdog service must also have rights to manage any services that are managed by the Agent Management Services, including the Monitoring Agent for Windows OS – Primary service. To grant users the authority to manage system services in Windows, use security templates, group policy, or edit the Subinacl.exe file. For more information, see the following Microsoft documentation: http://support.microsoft.com/kb/325349.

The following example shows how to grant users the authority to manage system services by using security templates:
  1. Click Start > Run, enter mmc in the Open box, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. Click Add > Security Configuration and Analysis, and then click Add again.
  4. Click Close and then click OK.
  5. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.
  6. Specify a name and location for the database, and then click Open.
  7. In the Import Template dialog box that is displayed, click the security template that you want to import, and then click Open.
  8. In the console tree, right-click Security Configuration and Analysis, and then click Analyze Computer Now.
  9. In the Perform Analysis dialog box that is displayed, accept the default path for the log file that is displayed in the Error log file path box. Otherwise, specify the location that you want. Click OK.
  10. After the analysis is complete, configure the service permissions as follows:
    1. In the console tree, click System Services.
    2. In the right pane, double-click the Monitoring Agent for Windows OS - Primary service.
    3. Select the Define this policy in the database check box, and then click Edit Security.
    4. To configure permissions for a new user or group, click Add.
    5. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for, and then click OK. In the Permissions for User or Group list, select the Allow check box (next to Start). Stop and pause permission is selected by default, so that the user or group can start, stop, or pause the service.
    6. Click OK twice.
  11. Repeat step 10 to configure the service permissions for the Monitoring Agent for Windows OS - Watchdog service.
  12. To apply the new security settings to the local computer, right-click Security Configuration and Analysis, and then click Configure Computer Now.
Note: You can use also the Secedit command line tool to configure and analyze system security. For more information about Secedit, click Start > Run, enter cmd, and then click OK. At the command prompt, type secedit /?, and then press ENTER. When you use this method to apply settings, all the settings in the template are reapplied. This method might override other previously configured file, registry, or service permissions.
The following example shows how to set the Monitoring Agent for Windows OS and Watchdog services to log on as a non-root user by using the Windows Services console:
  1. Click Start > Run, enter services.msc, and then click OK.
  2. Select Monitoring Agent for Windows OS - Primary.
  3. Right-click Properties.
  4. Verify the startup type as being Automatic.
  5. Select the Log On tab, and then select Log on as "This account" and supply the ID and password. Click OK.
  6. Select Monitoring Agent for Windows OS - Watchdog.
  7. Right-click Properties.
  8. Verify the startup type as being Manual.
  9. Select the Log On tab, and then select Log on as "This account" and supply the ID and password. Click OK.