|
View previous topic :: View next topic |
Author |
Message |
sebirello
Joined: 02 Nov 2016 Posts: 25
|
Posted: Tue May 23, 2017 7:00 am Post subject: service tests: Win32 error #5 with Connect as |
|
|
Hello,
following conditions:
- Host Monitor version: 9.90
- Installed on OS: Server 2012R2
- KS Advanced Host Monitor and KS Web Service configured to run as Local System
- In the Host Monitor Application I've configured a separate user account under service (Domain user account)
In the service tests (all Windows Server services) I have configured the local administrator account and password for the specific server with connect as.
No the problem is, that the service tests only work if my service user (configured in the host monitor application under service) is an domain admin. I don't want to give that service account domain admin rigths!
Can you tell me how to configure it right, so maybe I can use the local administrator defined in the service test with "Connect as"?
And maybe a solution, so I also can use the local system account in the hostmonitor application, instead of an separate account.
Thank you very much!
Kind Regards |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12818 Location: USA
|
Posted: Tue May 23, 2017 7:28 am Post subject: |
|
|
Quote: | - KS Advanced Host Monitor and KS Web Service configured to run as Local System
- In the Host Monitor Application I've configured a separate user account under service (Domain user account) |
So local system account specified in Windows Services applet?
While you use domain admin account in HostMonitor Options dialog?
This works fine on Windows Server 2003, while on Windows 2012 its better to set the other way around.
Local admin account should work. Unless UAC is enabled, in such case only build-in administrator account will work.
Note: "never notify" UAC option does not work on Windows 2012, you have to disable it in registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system, EnableLUA=0
system restart required
Regards
Alex |
|
Back to top |
|
|
sebirello
Joined: 02 Nov 2016 Posts: 25
|
Posted: Tue May 23, 2017 8:56 am Post subject: |
|
|
Hi Alex,
thank you for the answers!
I am already using the build-in administrator account in the service tests.
So what happens if I am using the domain user account for the service, is the service then using the account specified in the windows service applet for connecting to the services on the servers or is it using the account specified in connect as?
So what is best practice if I want to continue running host monitor as a service and checking the server services?
Thank you!
Regards
Sebastian |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12818 Location: USA
|
Posted: Tue May 23, 2017 11:31 am Post subject: |
|
|
Quote: | I am already using the build-in administrator account in the service tests |
This account necessary for service itself, for hostmon.exe process.
E.g. if service started under local system account, then it does not matter what account you use for the tests, HostMonitor will not be able to connect to remote systems because process does not have necessary permissions.
Quote: | So what happens if I am using the domain user account for the service, is the service then using the account specified in the windows service applet for connecting to the services on the servers or is it using the account specified in connect as? |
"Connect as" option and Connection Manager (recommended way is to use Connection Manager, its more flexible) tells HostMonitor to provide specified account when it connects to remote system using Windows API.
But in domain environment Windows may use account that launched process.
Regards
Alex |
|
Back to top |
|
|
sebirello
Joined: 02 Nov 2016 Posts: 25
|
Posted: Tue May 23, 2017 3:15 pm Post subject: |
|
|
Hi Alex,
ok, so as far I can understand, Connect as or the Connection Manager doesn't work for me in the domain environment for connecting correctly to the remote servers, because it is using the account specified in the Windows service?
Is the best way now to run the Windows service as a domain account and to configure the service option in Host Monitor to run as local system? And then grant the domain account specified in the Windows Service local admin rights on the servers I am testing?
Or is it better to use the domain admin running the windows service?
Another option I guess would be to create a connection for every host in the connection manager with the local administrator and to let the host monitor application running while logged in?
What do you recommend?
Thank you!
Regards,
Sebastian |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12818 Location: USA
|
Posted: Wed May 24, 2017 2:13 pm Post subject: |
|
|
Quote: | What do you recommend? |
If UAC enabled, use built-in administrator account for the service (Windows Services applet).
Otherwise use local admin or domain admin for the service (Windows Services applet).
Keep "local system" account in HostMonitor Options dialog.
Quote: | ok, so as far I can understand, Connect as or the Connection Manager doesn't work for me in the domain environment for connecting correctly to the remote servers, because it is using the account specified in the Windows service? |
Depends on test methods. E.g. WMI, Memory, Drive Free Space, Dominant Process tests need correct account specified in Connection Manager.
Anyway in order to use Connection Manager hostmon.exe process (service) must have permissions. E.g. if you start account under local system account, HostMonitor will not be able to use Connection Manager at all. It will be able to perform tests like SNMP Get, Traffic Monitor, Ping, TCP, but not tests like WMI, NT Event Log, Process, Service, CPU Usage
Quote: | Another option I guess would be to create a connection for every host in the connection manager with the local administrator and to let the host monitor application running while logged in? |
Usually you don't need to provide account for each host.
You may provide "default" account that will be used by HostMonitor for every resource not included in the list. To do so, type * as resource name. Then you may provide name of the server/domain or type * instead of server name. In 1st case HostMonitor will send authentication information to the specified server; in 2nd case (unc=* and sever=*) HostMonitor will connect to the server that was specified as test parameter.
In addition to default and host-specific accounts, you may specify accounts based on IP address ranges (e.g. you may specify one user account for 10.10.1.5-10.10.1.55 range, another account for 10.10.1.200-10.10.1.235 range)
Regards
Alex |
|
Back to top |
|
|
sebirello
Joined: 02 Nov 2016 Posts: 25
|
Posted: Wed May 24, 2017 2:34 pm Post subject: |
|
|
Hi Alex,
thank you for the answers!
So I guess the only option for me is to setup the Windows service with a domain admin account, because I want to run Host Monitor as a service and I want to check a lot of services of domain joined servers. So I don't need to setup the Connection Manager.
Is there no way to run the Windows service with an account with less privileges as domain admin rights to check services when running Host Monitor as a service?
Sorry for the many questions!
Regards,
Sebastian |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12818 Location: USA
|
Posted: Wed May 24, 2017 5:51 pm Post subject: |
|
|
If you need to check just services then Power User account should be enough
Regards
Alex |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|