search cancel

Script based ITPAM operators fail to run as different users from the one running ITPAM Agent process (Local System account by default). They return: ExitCode = -1, Reason: cannot create a process as user <username>

book

Article ID: 50501

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent CA Process Automation Base

Issue/Introduction

Script based ITPAM Operators (Windows Management etc.) fail to run as different Users from the one running ITPAM Agent process (Local System account by default). They return something like:

ExitCode = -1, Reason: cannot create a process as user <username> - Access is denied.

Environment

Release:
Component: ITPAM

Resolution

1. User account that runs ITPAM Agent service should be granted the following Local Security Policies:

  • Act as part of the operating system (SeTcbPrivilege)
  • Create a token object (SeCreateTokenPrivilege)
  • Logon as a Service (SeServiceLogonRight)
  • Logon as a batch job (SeBatchLogonRight)
  • Replace process level tokens (SeAssignPrimaryTokenPrivilege

2. Make sure that user account for running Script based operators has enough privileges to run these scripts - easiest way to test is to log in to the target server (Win 2008) via RDP session and attempt to run this script from DOS command prompt. Also a very important step: while logged in via RDP, navigate to the folder which is set as a new property for Agent service configuration:

wrapper.java.additional.9=-Djava.io.tmpdir=C:\Windows\Temp

You will likely see a security warning - click "Yes" and navigate to C:\Windows\temp, make sure you can create a test file/folder in that folder. At that point you can log off from RDP session and run Script based operators providing credentials of that user account.

Additional Information

In order to test the script from the DOS command prompt you should be logged in as the same user running the ITPAM Agent.  If this is not possible you can simulate this with the "runas" command or you can use the SysInternals psexec command to "impersonate" this userid that ITPAM needs to run the powershell script.  For more information about "runas" open a command prompt window and execute "runas /?"