Script based ITPAM Operators (Windows Management etc.) fail to run as different Users from the one running ITPAM Agent process (Local System account by default). They return something like:
ExitCode = -1, Reason: cannot create a process as user <username> - Access is denied.
- User account that runs ITPAM Agent service should be granted the following Local Security Policies:
- Act as part of the operating system (SeTcbPrivilege)
- Create a token object (SeCreateTokenPrivilege)
- Logon as a Service (SeServiceLogonRight)
- Logon as a batch job (SeBatchLogonRight)
- Replace process level tokens (SeAssignPrimaryTokenPrivilege
- Make sure that user account for running Script based operators has enough privileges to run these scripts - easiest way to test is to log in to the target server (Win 2008) via RDP session and attempt to run this script from DOS command prompt. Also a very important step: while logged in via RDP, navigate to the folder which is set as a new property for Agent service configuration:
You will likely see a security warning - click "Yes" and navigate to C:\Windows\temp, make sure you can create a test file/folder in that folder. At that point you can log off from RDP session and run Script based operators providing credentials of that user account.