AnsweredAssumed Answered

PAM service run as domain account, can't run script as other account

Question asked by pier-olivier.tremblay Champion on Feb 16, 2018
Latest reply on Feb 20, 2018 by pier-olivier.tremblay

Okay so let's clarify my title.


I have PAM in my sandbox environnement.


The CA Process Automation service run as a domain account (zPAM_SB not to mention it), wich is part of the server's admin group.


I can login on the server with this account. I can run a script on the server with this account.


I have a simple .bat file containing :

@echo off
echo %USERNAME% > D:/temp/out.txt


I have a simple process with a run program operator that run this .bat file.



When PAM run as a domain account :

If I try to run this .bat as someone else (my personnal credentials actually). It crashes and says : cannot create process as user xxxxxxx - A required privilege is not held by the client.


If i do not specify a userid and a password to the run programm operator, the .bat file writes into out.txt as expected but it writes SYSTEM. Why the ****? PAM service runs as a zPAM_SB.


Even the wrapper and the two java process run as a zPAM_SB.



When PAM runs as local system account

If I try to run this .bat as someone else (my personnal credentials). It runs fine and it writes my USERNAME correctly in out.txt.





Can someone explain me this?