Script (service) permissions

[wb]

Hi,

I am setting up some script tests (vbs) within the enterprise version and am running hostmonitor as a service.

It appears it can only execute the scripts if the user the service starts as is a member of the administrators group on the local machine (windows 2003 x64)

Otherwise when the test runs a 'The application failed to initialize properly (0xc0000142)' pops up.

Is there any other way to get this working as I would prefer not to have the service running as an administrator?

Thanks

[KS-Soft]

If you do not provide admin rights to HostMonitor, some other test will fail as well.
Admin rights necessary for CPU Usage, Process, Performance Counter tests.

Quote from the manual
============
Note #1: When HostMonitor starts as a service, it uses the system account (as all interactive services). But this account may not have all the necessary permissions, so some tests will not work correctly (UNC test, "disk free space" test for shared drives, "CPU Usage" test for remote machines, etc). If you need these tests, you will need to assign a special user account on the Service page in the Options dialog (HostMonitor's Options dialog). In this case HostMonitor will impersonate the security context of the user. Do not change the account using the system utility "Services". If you do so, HostMonitor may be unable to interact with the desktop.
=============

Regarding script.. normally you should be able to start script without admin rights (however you may need admin rights to perform some operations, e.g. access remote registry).

What account do you use to run HostMonitor service? Local system account? In such case HostMonitor will not be able to check any remote system.

Regards
Alex

[greyhat64]

Alex,
I struggle with this myself sometimes. For instance, I have a VBs/WMI script I'd like to run via active RMA. Queries to the Active RMA computer work fine, but if it is querying another server on the same remote network I get a "Error 70, permission denied", even though both boxes are using a domain account that has local admin permissions on both boxes. I could load another RMA, or include impersonation in my script, but this particular script should work without needing to do either.

FYI - Active RMA (3.33) is running as a service using the domain account mentioned above. I think the problem is that the HM server (7.50) is running as a service in a different domain using a different account. (Kapz mentioned that this might be a problem). You probably have the answer in your back pocket and I'm probably overlooking the obvious, so go ahead and embarrass me - I deserve it.

It may be a tall order, but a FAQ documenting authentication best practices (for the HM service and active RMA) might clear up a lot of these type of questions. Then you could simply point wb and myself to that - case closed

Thanks again for a great (and getting better) product!

[KS-Soft]

[wb]

Hi,

Sorry for the late reply - have had a couple of days off.

I use a domain account but without any special priveledges (I also tried adding the user to the power user group rather than the admin group but this still didn't work). The disk space and CPU tests I need to do I do through SNMP which doesn't require anything special.

The script I am trying to run is one I found on the forums to give me number of minutes since the newest file in a folder was created (I'm using to make sure a log file is created weekly - unless you have a better suggestion on how to do this).

The Hostmon user has access to this folder (on the local machine) but is unable to execute the script (even just a simple one line script fails - see below)

wscript.stdout.write "scriptres:BAD:No file found"


As I say - it does work if I put the service in the admin group but this isn't really good practice if it can be avoided.

Thanks for any help.

[KS-Soft]

We cannot reproduce such problem on our systems. HostMonitor is able to execute scripts under local system account, under regular user account and under admin account.

We checked Microsoft manuals but did not find any explanation why it works under admin account and does not work for regular user. May be system environ variable "path" does not point to %systemroot%\system32 directory while "path" variable specified for admin account contains correct path?

Regards
Alex

[losisoft]

I suggest, you log in with the account who is running the RMA agent. And try to run locally the vbscript. Then it will be easier to debug what permission is missing to run the script. It could be that the system is trying to run the script with cscript instead of wscript, or the other way around.