Description:

Script based ITPAM Operators (Windows Management etc.) fail to run as different Users from the one running ITPAM Agent process (Local System account by default). They return something like:

ExitCode = -1, Reason: cannot create a process as user <username> - Access is denied.

Solution:

1. User account that runs ITPAM Agent service should be granted the following Local Security Policies:
   
   
   • Act as part of the operating system (SeTcbPrivilege)
     
     
   • Create a token object (SeCreateTokenPrivilege)
     
     
   • Logon as a Service (SeServiceLogonRight)
     
     
   • Logon as a batch job (SeBatchLogonRight)
     
     
   • Replace process level tokens (SeAssignPrimaryTokenPrivilege
     
     
2. Make sure that user account for running Script based operators has enough privileges to run these scripts - easiest way to test is to log in to the target server (Win 2008) via RDP session and attempt to run this script from DOS command prompt. Also a very important step: while logged in via RDP, navigate to the folder which is set as a new property for Agent service configuration:
   
   wrapper.java.additional.9=-Djava.io.tmpdir=C:\Windows\Temp
   
   You will likely see a security warning - click "Yes" and navigate to C:\Windows\temp, make sure you can create a test file/folder in that folder. At that point you can log off from RDP session and run Script based operators providing credentials of that user account.