AnsweredAssumed Answered

Windows Agents - Required Access

Question asked by Laura_Albrechto_270 on Sep 12, 2014
Latest reply on Sep 15, 2014 by Wolfgang_Brueckler_75
Hi.  Had a question on whether or not anyone has played around with the different rights that you need in order to run a UC4 job.  If you look in the HELP it says "the user that starts the Windows agent must have these rights".

  • Act as part of the operating system
  • Replace aprocess level token
  • Logon as service
  • Logon as batch job *)
  • Restore files and directories
  • Adjust memory quotas for a process

But it says the user that STARTS the agent, not the users that just run UC4 jobs right?

So I'm wondering has anyone played around with this from the standpoint of - removing these rights to see what is the bare minimum? 

Yes, this is another security question - you can see what my life has become  :)

The Windows team wants to lock down / remove as much access as possible.  They specifically don't like the right having to do with process tokens. 

This is where my understanding is a little fuzzy.  If you look at Administrative Tools => Services at the UC4 service - it says "Log On  As" and has "Local System".  If you look in the Service Manager Dialog and go to the Properties it doesn't have anything in the fields for Log On As.  So..... what user is the agent running under?  SYSTEM?  Exactly what user needs to have these 6 rights?

We have a domain account that we use to run jobs (uc4xyz).  We removed all rights from this user and tried to run jobs.  So far, all it seems like this userid needs is "logon as a batch job" and to be able to logon locally.  But this is just what we've seen so far.

Can anyone explain what user exactly needs these 6 rights?
And what exactly the agent is running under if it isn't started as a particular user?

I do not want to update all our domain accounts to only have those 2 things - logon as a batch job and logon locally and have issues later.  Reduced security would make the Windows team happy, but maybe jobs won't run then. 

Just wondering if anyone has played around with this and/or has a better understanding of Windows security than I do.

Thanks in advance.