1 2 Previous Next 19 Replies Latest reply on Dec 6, 2011 10:52 AM by Bill Robinson

    mapping to a domain user account

      OK...maybe this is just my lack of Windows knowledge. I need to know how to run a blpackage deploy job with a user that has domain admin privileges.

       

      We have a job that needs to add users to the "Security Settings\Local Policies\User Rights Policy\Log on as a service" and it is throwing errors because you need to do it as a domain admin rather than a local admin.

       

      So, the question is how do you get mapped to a domain admin as well as a local admin?

        • 1. Re: mapping to a domain user account
          Bill Robinson

          we don't/can't map bladelogic users to domain users. (other then on a domain controller in which case the users are 'local')

           

          are you trying to add domain users to the local security policy?

          • 2. Re: mapping to a domain user account

            OK....I got that bit about the mapping in the admin guide (finally).

             

            Yes, we are trying to add domain users to the local security policy. They look something like this: SUBDOMAIN\user_svc

            • 3. Re: mapping to a domain user account

              I don't follow why domain admin is required to grant this privilege unless this machine is a domain controller, could you elaborate?

               

              You could probably do this with one of the tools from the NT Resource Kit, using a blpackage external command to call it.

              http://support.microsoft.com/kb/315276

              NTRIGHTS.EXE -u DOMAIN\User +r SeServiceLogonRight

               

              You could also grant this or any of the security policy stuff with a group policy object very easily.

              • 4. Re: mapping to a domain user account
                Scott Rabinow

                It looks like we are running into the same issue. We have several commands that need to set some sort of domain credentials (file permissions and ownership, registry key permissions, etc.). We are using these Microsoft commands:

                 

                subinacl.exe

                takeown.exe

                xcacls.vbs

                 

                All fail (with their own messages), but it seems to all boil down to the fact that the BL agent is running as the local account "BladelogicRSCD" which is not authenticated to the domain and that we are trying to grant permissions to domain accounts, which then can't be verified (some error messages state "unknown user", when we are absolutely sure the account info is correct)...

                 

                Other forum articles here on the BL site suggest using the Sysinternals tool "psexec" (now owned by MS) to runas a domain account, but so far I have been unsuccessful doing that.

                 

                We are wrestling with a package property that is an encrypted string (the domain account password) from "blenc", but we can't figure out how to de-crypt it for use by psexec.

                 

                Help?

                • 5. Re: mapping to a domain user account
                  Scott Rabinow

                  I should have noted in my post a few minutes ago that the ntrights.exe program from Microsoft is successful in adding domain account permissions under User Rights Assignment, even when running under a local account like BladelogicRSCD.

                  • 6. Re: mapping to a domain user account

                    The system is NOT a domain controller, but the command that we wanted to execute needed to have domain admin privileges. If you tried to execute the command by hand, the person doing it needed had to be a domain admin.

                    • 7. Re: mapping to a domain user account
                      Steven Wyns

                      Hi,

                       

                      => We are wrestling with a package property that is an encrypted string (the domain account password) from "blenc", but we can't figure out how to de-crypt it for use by psexec.

                      Are you still struggling with that or have you found a decent solution in the mean time? I'm also looking for that golden egg

                       

                      Kind regard,

                      • 8. Re: mapping to a domain user account
                        Bill Robinson

                        How are you trying to use it - like in an external command in the blpackage?

                        • 9. Re: mapping to a domain user account
                          Steven Wyns

                          Hi,

                           

                          No not from a BlPackage, just in a script, so I guess there's no way to decrypt the password since this would compromise the whole encrypted variable idea. Or is there?

                           

                          Kind Regards

                          • 10. Re: mapping to a domain user account
                            Bill Robinson

                            Try something like this in the script.

                             

                            1.  put the below text into a file like Property-PS-Delete.xml in <install dir>/br/xml/cli on the system(s) that will run the script, probably the appservers.  they have to have the blcli installed.

                             

                            <?xml version="1.0" encoding="UTF-8"?>
                            <!DOCTYPE command_inventory SYSTEM "file://bladelogic.com/dtds/Command-Inventory.dtd">
                            <command_inventory>
                                <name_space name="Property">
                                    <complex_command command_id="decryptPropertyValue-PS-0001" published="yes" release="yes">
                                        <name>decryptPropertyValue</name>
                                        <description>
                                            <author>Anonymous</author>
                                        <paragraph>
                                                <string_literal>This command prints the clear text value of a given encrypted property</string_literal>
                                            </paragraph>
                                         </description>
                                        <argument_list>
                                            <argument desc="Name of the property whose value you want to print." name="propertyValue">java.lang.String</argument>
                                        </argument_list>
                                        <commands_to_execute>
                                            <command_invocation>
                                                <namespace_ref>BlValue</namespace_ref>
                                                <name>createEncryptedStringBlValueBean</name>
                                                <input></input>
                                            </command_invocation>
                                            <command_invocation>
                                                <namespace_ref>EncryptedStringBlValueBean</namespace_ref>
                                                <name>parseFromString</name>
                                                <input>$propertyValue$</input>
                                            </command_invocation>
                                            <command_invocation>
                                                <namespace_ref>EncryptedStringBlValueBean</namespace_ref>
                                                <name>getValue</name>
                                                <input></input>
                                            </command_invocation>
                                        </commands_to_execute>
                                    </complex_command>
                                </name_space>
                            </command_inventory>

                             

                            Then in your script you should be able to run some blcli like this:

                             

                            function(){return A.apply(null,[this].concat($A(arguments)))}

                                blcli_execute PropertyInstance getFullyResolvedPropertyValue Class://SystemObject/Test/test password
                                blcli_storeenv ENC_VALUE
                                blcli_execute Property decryptPropertyValue ${ENC_VALUE}
                                blcli_storeenv PASS
                                echo $PASS


                            This is for a custom property class named 'Test' w/ a subclass of 'test' and the property 'password' so you can change that.

                             

                            Though, if you were using a blpackage, I think you can just pass in the property into the external command box and it would decrypt it.  The above would have to be run inside a nsh script.

                            • 11. Re: mapping to a domain user account
                              Steven Wyns

                              Hi Bill,

                               

                              Thanx, I think this can help me.

                               

                              Kind regards,

                              • 12. Re: mapping to a domain user account

                                Is this (using NTRIGHTS.EXE -u DOMAIN\User +r SeServiceLogonRight) the best practice solution to the problem as of today?

                                 

                                Or can BladeLogic account mappings help ?

                                • 13. Re: mapping to a domain user account
                                  Bill Robinson

                                  You can run as a domain user w/ the Automation Principal feature.  the original post was back in 2008, before we had that feature.

                                  • 14. Re: mapping to a domain user account

                                    Thanks very much Bill.  A BBSA colleague of mine set this up and it worked.

                                    1 2 Previous Next