Windows user domain rights and structure

About this task

If you install on Windows operating systems, consider the following information.

For the installation:
  • You cannot have a local user and a domain user with the same name. For example, you cannot have user1 as local user and at the same time user1@domain1 and domain\user1.
  • The Windows user performing an agent installation must:
    • For a local HCL Workload Automation user, be a member of the local administrative group
    • For a domain HCL Workload Automation user, be a member of the domain "users" group in the domain controller and be a member of the local administrative group.
For Windows HCL Workload Automation users:
All Windows HCL Workload Automation users must have the following user permissions. They can be granted locally. Domain level policies always override local policies, so you might be required to grant the permissions from the domain:
  • Act as part of the operating system
  • Allow log on locally
  • Impersonate a client after authentication
  • Log on as a batch job
  • Log on as a service
  • Replace a process level token
  • Adjust memory quotas for a process (available on some configurations only)
Note: These rights are granted during the installation, but you can confirm them manually.
To run HCL Workload Automation command lines:
On Windows operating systems with UAC disabled:
In addition to standard Windows permissions, to log on to the machine, the user must have the "Impersonate a client after authentication" permission granted. By default, this is granted just to the "Administrators" group members. This permission is required to impersonate the TWS user and access the HCL Workload Automation Mailbox.
On Windows operating systems with UAC enabled:
This is the default value. The "Impersonate a client after authentication" is not available to the user, unless the cmd shell is started with "Run as administrator" permission. To run HCL Workload Automation command lines, the user must have "Impersonate a client after authentication" permission defined and then start the shell with the "Run as administrator" permission authenticating with its own user ID.
For the Streamlogon user:
The user must have the "logon as batch" permission to allow HCL Workload Automation to create the job process. In addition, you must assign to the user "Read" and "Read & execute" permission to cmd.exe. You can assign "Read" and "Read & execute" permission to cmd.exe also to the BATCH built-in group instead of to a single user.
To manage HCL Workload Automation agents:
The user must be in the Administrators group or must be able to perform "Run as" as twsuser to reset the HCL Workload Automation files if a recovery is needed.