13 Replies Latest reply on Jun 27, 2005 1:12 AM by Jarrod Boland

    BladeLogicRSCD user not created??

      Hi all,


      I've got a real annoying problem here (Windows 2003). Trying to install the agent either manually or via Bulk Installer and it fails to create the BladeLogicRSCD user - which I know plays an core part of the agents functionality.


      I've searched the knowledgebase and the only article which seems close is:



      Unfortunatley I've checked the server and its already running in remote admin mode in execute mode. Can't for the life of me suss out what going wrong? Event logs look fine.


      Anyone got any ideas?




        • 1. Re: BladeLogicRSCD user not created??

          Is this a domain controller?

          • 2. Re: BladeLogicRSCD user not created??

            Hi Brad,


            Its a member server.




            • 3. Re: BladeLogicRSCD user not created??

              Anymore ideas? or should i log a call?




              • 4. Re: BladeLogicRSCD user not created??

                log, log, log :)

                • 5. Re: BladeLogicRSCD user not created??

                  On the Windows agent, the BladeLogicRSCD user is created upon startup of the agent if the user isn't found (it is not created via the installation, as some people may believe). That being said, if you set the agent log to DEBUG level and attempt to start it, you should see some sort of error in the logs.


                  After you do this, I would log a call as the Support team does have experience tracking this sort of thing down.

                  • 6. Re: BladeLogicRSCD user not created??

                    Yay! Thanks Tim!

                    • 7. Re: BladeLogicRSCD user not created??
                      Mark Jeffery

                      Out of interest, why does this happen?


                      Why do we have a BladeLogicRSCD user and the user that runs the service?



                      • 8. Re: BladeLogicRSCD user not created??

                        Here's an explanation as explained to me. Anyone else who knows about this user should feel free to chime in:


                        The BladeLogicRSCD user is created on Windows in order for us to obtain local privileges on the target server. Whenever a connection is made to a target agent, we are first mapped to this user before reading exports, users, users.local. This user has extremely limited permissions (e.g., you can't log onto the desktop with it), but one thing it can do is obtain other privileges. So, once we read through the exports, users, and users.local, we know which user we should ultimately be mapped to (Administrator, etc.). We then query the server to obtain the privileges of that user and assign those privileges to the BladeLogicRSCD user (just for the life of that individual call). Thus, when you say "user=Administrator" in exports (or "map=Administrator" in users or users.local), we're not really running as that user but rather the BladeLogicRSCD user with the exact same permissions as "Administrator" (again, only for the life of the call).


                        This may sound confusing, but it's actually how Microsoft handles it in the case of IIS. If you've ever seen the users called "IUSR_", they're doing the same thing for IIS that we're doing for our agent. They are dummy users that are given the effective privilege of another user.

                        • 9. Re: BladeLogicRSCD user not created??

                          Do we create a log file for agent installation anywhere, I mean, a log of each action, like, created necessary folders and files etc.


                          I come from an SMS background, and I remember I had to look for log files in order to see if the SMS Client got installed correctly.

                          • 10. Re: BladeLogicRSCD user not created??

                            Up to this point (through 6.2.x versions of the agent installer) there is no such log.


                            With the release of 6.3.0 there is an implementation of an agent install log on windows systems that is intended to help troubleshoot this sort of installation issue.

                            • 11. Re: BladeLogicRSCD user not created??
                              Mark Jeffery

                              We have a problem that is related to this, I think.


                              We want to check a network share for compliance, and we need to map to a domain user to get permissions for that share.


                              Can we map to a domain user?


                              Could we change the BladeLogicRSCD user to be a domain user, and still owner of the service?





                              • 12. Re: BladeLogicRSCD user not created??

                                At this time you cannot map to a domain user. Unlike local users, which can be semi-impersonated (with the right privileges) without authentication, domain users require some type of authentication. This authentication can be acquired via either a password or kerberos or whatever but an authentication is required.


                                Also, the agent must run as the Local System user. This user is the only user with enough privileges for local user impersonation to work.

                                • 13. Re: BladeLogicRSCD user not created??

                                  Another interesting aside here: Since any process run by the Windows agent actually runs as a BladeLogicRSCD-owned process, it's quite easy to see what processes the agent is currently running. If you run a "ps" against a Windows server or even log into Windows Task Manager and view tasks by all users, this NT Impersonation model makes it quite easy to see exactly what local NT processes the BladeLogic agent is currently running. This is especially fruitful in trying to diagnose NT agent hangs, which can often be caused by Windows programs that are spawned by nexec but refuse to give up control.


                                  Again, this isn't completely relevent to the conversation, but this little tidbit has proven invaluable to me many times in the past, and this thread seemed like a reasonably good place to mention it.