Version

Argent Advanced Technology — All Versions

Date

Tuesday, 19 April 2022

Summary

It is an Argent prerequisite to grant Argent service account with local administrator privilege on all target Windows machines.

This is to ensure proper monitoring on Windows performance, event logs, Windows services, etc.

This article describes what can be done when customer CANNOT give local administrator privilege to Argent service account on target machine.

Technical Background

Local administrator privilege means being a member of the Administrators group in Windows’s Local Users and Groups, an example is shown below.

Without local administrator privilege, the following monitoring Rules can be interrupted.

– SLA and System Down Rules

– Windows Performance Rules

– Windows Event Log Rules

– Windows Service Rules

– WMI Rules

Resolution

Windows 2003 and later has built-in local groups as below that make the task much easier.

– Performance Monitor Users
– Event Log Readers
– Distributed COM Users

The key is to make the Argent AT service account a member of these built-in local groups on target machine.

While customers can certainly logon to each server and manually perform this task, this is not very feasible for large networks with hundreds or thousands of Windows machines.

The task can be done through a Restricted Group of the Default Domain Group Policy.

The Domain Controller pushes out the settings to each Windows machine in the domain, and the Argent AT service account become a member of the relevant local groups.

Step 1: Create a domain group Non-Admin-Monitor-Users.

Step 2: Add the Argent AT service account to the group.

Step 3: Edit the Default Domain Group Policy (Note: NOT the Default Domain Controller Group Policy).

Step 4: Add the group to Restricted Groups, and edit the settings.

Step 5: Make the group a member of local groups ‘Performance Monitor Users’, ‘Event Log Readers’ and ‘Distributed COM Users’.

For Services monitoring, Windows does not provide a similar local group to allow non-admin users to remotely connect to the SCM (Service Control Manager) or individual services.

Argent AT has included a utility called ARGSOFT_GRANT_SCM_ACCESS.EXE to make life easier.

To grant READ access to the entire SCM, run following in command prompt on target machine.

ARGSOFT_GRANT_SCM_ACCESS account

To grant READ access to a specific service, run following in command prompt on target machine.

ARGSOFT_GRANT_SCM_ACCESS account service_name
Limitation

1. Customer has to execute the above command on EACH target machine.

2. The utility can grant READ access only. Full-Service-Control requires to local admin privilege.

3. The utility currently does not support undo.

4. The utility does not support Windows 2019 and above in Argent AT 2201-A and earlier. Upgrade to Argent AT 2204-A and later to support Windows 2019 and above.