Considerations for Windows™ domain controllers running Microsoft™ Active Directory
If you want to install a HCL Workload Automation fault-tolerant agent on workstations where users who run jobs are domain users and the domain controller is running the Microsoft™ Active Directory, decide how to install the agents and configure the domain to have thejobmon process obtain the correct information to allow the users to run jobs.
About this task
Before running a job, jobmon retrieves information about the user running the job. If the user is a domain user and the domain controller is running Microsoft™ Active Directory, whether the user information can be retrieved depends on the information in the access control list (ACL) of that user. The main jobmon process that runs the job is started as the local system account (AUTHORITY\SYSTEM), but it immediately impersonates the TWS_user that owns the fault-tolerant agent. This means that for jobmon to successfully launch the job, the TWS_user must have an access control entry (ACE) in the ACL of the user for which it is trying to retrieve information.
- Enable the TWS_user to access a set of users that run jobs
- On the domain server, edit the ACL of all users that run jobs on the workstation and add an ACE for each TWS_user. In this case, only specified users can run the jobs submitted by jobmon.
- Allow all users to run jobs submitted by jobmon by using the TWS_BYPASS_DC=TRUE system variable
- Create the TWS_BYPASS_DC=TRUE system variable, with a value not null, and reboot the workstation. In this case,jobmon obtains the user information without performing the security check for the ACE in the ACL of the user. All the local and domain users can run the jobs submitted by jobmon.
- Allow all users to run jobs submitted by jobmon by setting the TWS_user as a domain user
- Set up the TWS_user as a Windows™ domain user and install the instance of HCL Workload Automation using the TWS_user. In this case, all authenticated users on the domain controller can access the default ACL for a domain user. Jobs can then be launched by both local and the domain users. All the local and the domain users can run the jobs submitted by jobmon.
- Exclude the workstation from the security check on users ACL
- On the domain server, add the host name of the workstation where the fault-tolerant agent is installed to the Pre-Windows 2000-Compatible Access Group. In this way, from a security point of view, the domain controller interacts with this workstation as if it is in a Windows™ domain that does not support Active Directory. In this case, all the local and domain users can run the jobs submitted by jobmon. In addition, the domain controller does not prevent any local or domain users from running other processes that are not controlled by HCL Workload Automation.