Script based ITPAM operators fail to run as different users from the one running ITPAM Agent process (Local System account by default). They return: ExitCode = -1, Reason: cannot create a process as user <username>
book
Article ID: 50501
calendar_today
Updated On:
Products
CA Workload Automation AE - Business Agents (AutoSys)CA Workload Automation AE - Scheduler (AutoSys)CA Workload Automation AgentCA Process Automation Base
Issue/Introduction
Description:
Script based ITPAM Operators (Windows Management etc.) fail to run as different Users from the one running ITPAM Agent process (Local System account by default). They return something like:
ExitCode = -1, Reason: cannot create a process as user <username> - Access is denied.
Solution:
User account that runs ITPAM Agent service should be granted the following Local Security Policies:
Act as part of the operating system (SeTcbPrivilege)
Create a token object (SeCreateTokenPrivilege)
Logon as a Service (SeServiceLogonRight)
Logon as a batch job (SeBatchLogonRight)
Replace process level tokens (SeAssignPrimaryTokenPrivilege
Make sure that user account for running Script based operators has enough privileges to run these scripts - easiest way to test is to log in to the target server (Win 2008) via RDP session and attempt to run this script from DOS command prompt. Also a very important step: while logged in via RDP, navigate to the folder which is set as a new property for Agent service configuration:
You will likely see a security warning - click "Yes" and navigate to C:\Windows\temp, make sure you can create a test file/folder in that folder. At that point you can log off from RDP session and run Script based operators providing credentials of that user account.