7 Replies Latest reply on Dec 1, 2016 10:47 AM by Patrick Davis

    BladelogicRSCD user is not being created

    Patrick Davis

      We have server where the BladelogicRSCD user will not create itself when installing the agent.  We noticed the user had vanished when the server failed patching this month.  Reinstalling the agent(8.7.263) didn't help.  We verified nothing else is using port 4750.  The local admin is being mapped for the service, and has full admin rights.

        • 1. Re: BladelogicRSCD user is not being created
          Bill Robinson

          this is a member server or domain controller?

           

          what happens when you start the rscd service?  are you getting an error and the agent doesn't start ?

           

          anything in the rscd log ? maybe increase the rolled logs to 100 in the c:\windows\rsc\log4crc.txt for the rscd log and set the logger to debug..

           

          anything in the security event logs on the os ?

          • 2. Re: BladelogicRSCD user is not being created
            Patrick Davis

            Member server.  The agent installs with no errors, and the rscd service starts ok.  Log is attached.  Nothing in the security event logs.

            • 3. Re: BladelogicRSCD user is not being created
              Jim Wilson

              The RSCD log error says "windows user privilege mapping disabled"

               

              Can you check that and enable it (even if only temporarily for a test)?

              Or is there anything in the System or Application Event Logs?

              2 of 2 people found this helpful
              • 4. Re: BladelogicRSCD user is not being created
                Bill Robinson

                Can you see if this registry value is set (to 1 i think)

                 

                HKLM\SECURITY\\SAM\\BladeLogic\\Operations Manager\\RSCD\\\UPMDisabled

                 

                you will probably need to grant yourself (even as Administrator) access to HKLM\Security or HKLM\Security\SAM to be able to drill into it.

                2 of 2 people found this helpful
                • 5. Re: BladelogicRSCD user is not being created
                  Patrick Davis

                  Thank you for this.  I found the above key, and it was set to 1.  I removed this key, as I verified it was not set on our other servers. The BladelogicRSCD user is now populating.

                   

                  What is the reason this key would have been set? This setting was not pushed out by our BSA admins.

                  • 6. Re: BladelogicRSCD user is not being created
                    Bill Robinson

                    Considerations for automation principals and Windows user mapping - BMC Server Automation 8.2

                     

                    Discontinuing the use of the BladeLogicRSCD user

                    In some environments, creating and managing a local user account such as BladeLogicRSCD is an administrative challenge because an organization-wide security policy might prohibit local user accounts. In these environments, BMC recommends the use of automation principals, and you can remove the BladeLogicRSCD account after the initial registration of the RSCD agent on the BMC Server Automation Application Server.

                    The following table discusses the prerequisites of removing the BladeLogicRSCD user.

                     

                     

                     

                    BMC Server Automation version

                    To remove the BladeLogicRSCD local account, you must have BMC Server Automation version 8.1 or later installed.

                    On any earlier version of BMC Server automation, the BladeLogicRSCD local account is still required, even if it is unused. Furthermore, even if you remove this account, it is recreated automatically the next time that a connection is established with the RSCD agent.

                    BMC Server Automation architecture

                    You can remove the BladeLogicRSCD local account from remote servers.

                    However, do not remove this local user account from the file server. Correct operation of the BMC Server Automation infrastructure requires user privilege mapping for file servers.

                    When to remove

                    To remove the BladeLogicRSCD local account, wait until after the server has been added and registered on the BMC Server Automation Application Server.

                    The BladeLogicRSCD account and User Privilege Mapping (UPM) must be enabled when the system is first registered with the BMC Server Automation Application Server. The first call to the RSCD agent is made without knowing what OS the agent is running on. UPM is an agent-side functionality, so to invoke, that server does not need to know the OS, but the agent does need to know. The automation principal, on the other hand, is a functionality on the Application Server side, and the decision whether to use an automation principal to access an agent is made at the server side. One of the things needed to make that decision is the OS of the machine that the agent is running on, and that property is set only after the first call to the agent is successful. If UPM is disabled before the first call, there is no way to access that agent and hence no way to get the information about the OS to enable the server to make the decision of using an automation principal.

                    To remove the BladeLogicRSCD user

                    After the server has been added, run the chapw -d command on the remote system. To run the chapw -d command, you must connect to the agent by means of a Network Shell Proxy Server. Use the blcred command to log on, and select a role that has an automation principal associated with it.

                     

                    Note

                     

                    When the chapw -d command is run against an Active Directory domain controller, the BladeLogicRSCD account is not deleted (whereas against a member or standalone server, the chapw -d command does delete the account). You should run the chapw -d command against all domain controllers in the domain, and you can then manually delete the BladeLogicRSCD account from the domain. In this manner, you prevent the chapw -d command from running against a single domain controller and having it delete an account that other domain controllers are using.

                    2 of 2 people found this helpful
                    • 7. Re: BladelogicRSCD user is not being created
                      Patrick Davis

                      Thanks for this info.