ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Script based ITPAM operators fail to run as different users from the one running ITPAM Agent process (Local System account by default). They return: ExitCode = -1, Reason: cannot create a process as user <username>

book

Article ID: 50501

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent CA Process Automation Base

Issue/Introduction

Description:

Script based ITPAM Operators (Windows Management etc.) fail to run as different Users from the one running ITPAM Agent process (Local System account by default). They return something like:

ExitCode = -1, Reason: cannot create a process as user <username> - Access is denied.

Solution:

  1. User account that runs ITPAM Agent service should be granted the following Local Security Policies:

    • Act as part of the operating system (SeTcbPrivilege)

    • Create a token object (SeCreateTokenPrivilege)

    • Logon as a Service (SeServiceLogonRight)

    • Logon as a batch job (SeBatchLogonRight)

    • Replace process level tokens (SeAssignPrimaryTokenPrivilege

  2. Make sure that user account for running Script based operators has enough privileges to run these scripts - easiest way to test is to log in to the target server (Win 2008) via RDP session and attempt to run this script from DOS command prompt. Also a very important step: while logged in via RDP, navigate to the folder which is set as a new property for Agent service configuration:

    wrapper.java.additional.9=-Djava.io.tmpdir=C:\Windows\Temp

    You will likely see a security warning - click "Yes" and navigate to C:\Windows\temp, make sure you can create a test file/folder in that folder. At that point you can log off from RDP session and run Script based operators providing credentials of that user account.

Environment

Release:
Component: ITPAM