1. Connection initiated to agent
2. Exports file is checked to ensure that the incoming connection from the client is authorized
3. It is validated that the Role:User is listed in users or users.local file or access allowed through exports for the user
4. Login as the user cred specified in AP
5. Perform action as AP

The AP doesn’t use the BladeLogicRSCD user account at all.

What accounts are being created as ‘reg_sz’ and where ?

The AP uses normal windows authentication to whatever server it’s talking to.  if it’s member server then it should be like you are logging into the server so it will hit the DC w/ the auth request.

Why ?

ok..

but the AP isn't creating anything or shouldn't be.  for the UPM we use the BladeLogicRSCD account.  when you install on a DC, that does create the account in the domain.  and then all of the DCs use the same account when you run things against the agents.  there's a problem w/ that - there are things that can cause the domain level account to get locked out due to failed authentication attempts.  so there's a registry key ("HKLM\Software\BladeLogic\RSCD Agent\BladelogicRSCDUser") that lets you define another account name to use.  so someone manually created that.  and then on agent startup, the account name in that key will be created in the domain.  so if you see BladeLogicRSCD_dcname, that means that someone went in and set that key and value on each of your DCs.  i'm fairly certain we are not automatically setting that (we had talked about it though).

but this has nothing to do w/ the AP.  so as long as UPM is still enabled on the DCs then either the account specified in that registry key, or 'BladeLogicRSCD' is going to be created in your domain when the agent starts on the DCs.