Script based ITPAM operators fail to run as different users from the one running ITPAM Agent process (Local System account by default). They return: ExitCode = -1, Reason: cannot create a process as user <username>

Document ID : KB000050501
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Script based ITPAM Operators (Windows Management etc.) fail to run as different Users from the one running ITPAM Agent process (Local System account by default). They return something like:

ExitCode = -1, Reason: cannot create a process as user <username> - Access is denied.

Solution:

  1. User account that runs ITPAM Agent service should be granted the following Local Security Policies:

    • Act as part of the operating system (SeTcbPrivilege)

    • Create a token object (SeCreateTokenPrivilege)

    • Logon as a Service (SeServiceLogonRight)

    • Logon as a batch job (SeBatchLogonRight)

    • Replace process level tokens (SeAssignPrimaryTokenPrivilege

  2. Make sure that user account for running Script based operators has enough privileges to run these scripts - easiest way to test is to log in to the target server (Win 2008) via RDP session and attempt to run this script from DOS command prompt. Also a very important step: while logged in via RDP, navigate to the folder which is set as a new property for Agent service configuration:

    wrapper.java.additional.9=-Djava.io.tmpdir=C:\Windows\Temp

    You will likely see a security warning - click "Yes" and navigate to C:\Windows\temp, make sure you can create a test file/folder in that folder. At that point you can log off from RDP session and run Script based operators providing credentials of that user account.