Does my Win32 agent service have enough privileges?

Version 2

    We have a lot of customers who would like to run their BMC Database Automation agents as some other account than NT AUTHORITY\System, which is BDA's default.  Unfortunately, the agent needs the privileges that are granted to NT AUTHORITY\System so it can become other users when given the proper credentials. Without these privileges, the functionality of the BDA agent is severely curtailed. So customers have been creating "NT AUTHORITY\System"-equivalent accounts with the same privileges and running the BDA agent under that account.

     

    Sometimes, a customer starts running into a problem, and after a lengthy troubleshooting process, we determine that the problem arose because the account the BDA agent was running as didn't have all the privileges that NT AUTHORITY\System has. Now we have a way to head those problems off before they happen.

     

    We've just put together a tool that will allow our customers to determine if they are running their BDA agent with the proper privileges: the "Check Agent Service Account Privileges" action (yeah, we're still working on the name). Just by running this node-scoped action against a windows node with a BDA agent, customers will be able to tell whether or not their BDA agent is running with all the privileges it needs.  If the action is successful, the agent has all the necessary privileges.  If the action fails, the output from the action will specify which privileges were missing or incorrectly set.


    Just import the attached zip file to your manager and follow the instructions in the attached zip file.


    Note: the action in this article is also available as a BDA ZipKit.