AnsweredAssumed Answered

PAM service run as domain account, can't run script as other account

Question asked by pier-olivier.tremblay Champion on Feb 16, 2018
Latest reply on Feb 20, 2018 by pier-olivier.tremblay

Okay so let's clarify my title.

 

I have PAM in my sandbox environnement.

 

The CA Process Automation service run as a domain account (zPAM_SB not to mention it), wich is part of the server's admin group.

 

I can login on the server with this account. I can run a script on the server with this account.

 

I have a simple .bat file containing :

@echo off
echo %USERNAME% > D:/temp/out.txt

 

I have a simple process with a run program operator that run this .bat file.

 

 

When PAM run as a domain account :

If I try to run this .bat as someone else (my personnal credentials actually). It crashes and says : cannot create process as user xxxxxxx - A required privilege is not held by the client.

 

If i do not specify a userid and a password to the run programm operator, the .bat file writes into out.txt as expected but it writes SYSTEM. Why the ****? PAM service runs as a zPAM_SB.

 

Even the wrapper and the two java process run as a zPAM_SB.

 

 

When PAM runs as local system account

If I try to run this .bat as someone else (my personnal credentials). It runs fine and it writes my USERNAME correctly in out.txt.

 

 

 

 

Can someone explain me this?

 

 

 

Outcomes