Running as a non-Administrator user
You can run the Monitoring Agent for Windows OS as a non-Administrator user, however some functionality is unavailable.
When running as a non-Administrator user, you lose functionality in the following attribute groups if they are owned solely by the Administrator account:
- Registry
- File Trend
- File Change
Remote deployment of other agents is not available because administrator rights are required to install the new agents.
For Agent Management Services, the watchdog cannot stop or start any agent that it does not have privileges to stop or start.
To create a non-Administrator user, create a new Limited (non-Administrator) user and set up registry permissions as follows for the new user:
- full access to HKEY_LOCAL_MACHINE\SOFTWARE\Candle
- read access to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
The user that starts the Monitoring Agent for Windows OS – Primary service must have rights to manage the Monitoring Agent for Windows OS - Watchdog service. The user that starts the Monitoring Agent for Windows OS - Watchdog service must also have rights to manage any services that are managed by the Agent Management Services, including the Monitoring Agent for Windows OS – Primary service. Use Group Policy, Security Templates or Subinacl.exe to grant users the authority to manage system services in Windows. For detailed information, see the following Microsoft documentation athttp://support.microsoft.com/kb/325349.
The following example uses the security templates:
- Click Start ->Run, enter mmc in the Open box, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- Click Add -> Security Configuration and Analysis, and then click Add again.
- Click Close and then click OK.
- In the console tree, right-click Security Configuration and Analysis, and then click Open Database.
- Specify a name and location for the database, and then click Open.
- In the Import Template dialog box that is displayed, click the security template that you want to import, and then click Open.
- In the console tree, right-click Security Configuration and Analysis, and then click Analyze Computer Now.
- In the Perform Analysis dialog box that is displayed, accept the default path for the log file that is displayed in the Error log file path box or specify the location that you want, and then click OK.
- After the analysis is complete, configure the service permissions
as follows:
- In the console tree, click System Services.
- In the right pane, double-click the Monitoring Agent for Windows OS - Primary service.
- Select the Define this policy in the database check box, and then click Edit Security.
- To configure permissions for a new user or group, click Add.
- In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for, and then click OK. In the Permissions for User or Group list, select the Allow check box next to the Start button, stop and pause permission is selected by default. This setting permits the user or group to start, stop, and pause the service.
- Click OK two times.
- Repeat step 10 selecting the Monitoring Agent for Windows OS - Watchdog service.
- To apply the new security settings to the local computer, right-click Security Configuration and Analysis, and then click Configure Computer Now.
Use the Windows Services console to set the OS Agent and watchdog services to log on using the non Administrator user.
- Click Start -> Run, enter services.msc in the Open box, and then click OK.
- Select Monitoring Agent for Windows OS - Primary.
- Right-click Properties.
- Verify the startup type as being Automatic.
- Select the Log On tab, and then select Log on as "This account" and supply the ID and password. Click OK.
- Select Monitoring Agent for Windows OS - Watchdog.
- Right-click Properties.
- Verify the startup type as being Manual.
- Select the Log On tab, and then select Log on as "This account" and supply the ID and password. Click OK.