Don't get me wrong for at least 95% of our infrastructure we have no issue/hassle using an account with no local admin privileges. We don't use the processes probe on windows except for special cases for example. And again apply patches no change was required, it is only the cumulative patches on the primary hub/cabi that we had an extra step at the beginning and end to add and then remove the local admin privileges, it didn't add much to the effort or time to the maintenance window.
Original Message:
Sent: Sep 04, 2024 02:21 PM
From: Larry Fitzgerald
Subject: Converting DX UIM installation to non-admin user
Thanks for the feedback Andrew. I'll be on the lookout for items like you mentioned during the process of converting in Dev. If it comes down to having to elevate the account privileges for upgrades, we may just leave as is. I'll have to see what the pain level of doing that in our environment would be.
Original Message:
Sent: Sep 03, 2024 03:01 AM
From: Andrew Cooper
Subject: Converting DX UIM installation to non-admin user
Also if robot not in local admin group some probes (eg processes) don't work properly as they need some elevated/special privileges to access the OS. The actual privileges are not documented as Broadcom assumes the robot is running with local admin privileges. To overcome this we moved from using a user/service account to MSA for the robots, and left local admin privileges if needed, as well as doing Luc's style workaround with enabling elevated privileges during upgrades.
Not fun I agree but made our security team much happier about our privileged access stance.
------------------------------
Knows a little about UIM/DXim, AE, Automic
Original Message:
Sent: Sep 02, 2024 03:51 PM
From: Luc Christiaens
Subject: Converting DX UIM installation to non-admin user
I changed the nimsoft service back to use the administrator account (= the userid that i used during initial install) and redeployed cabi.
That install/upgrade worked without problems.
Afterwards i removed the logon with a userid for the service and everything continued to work fine.
Original Message:
Sent: 9/2/2024 3:06:00 PM
From: Larry Fitzgerald
Subject: RE: Converting DX UIM installation to non-admin user
Thanks for the reply Luc. So, what did you end up doing? Removing cabi and wasp probe and deploy again?
Larry
Original Message:
Sent: Sep 02, 2024 06:52 AM
From: Luc Christiaens
Subject: Converting DX UIM installation to non-admin user
If you remove the Nimsoft service admin user, I think that an upgrade of Cabi will fail.
I had this while upgrading to cu2:
aug 16 12:40:42:484 [Thread-1, cabi] [exec] [create-ks] A new encryption key and a new keystore are about to be created. Any previously created key and keystore will become invalid and the corresponding passwords unusable. If you think this JasperReports Server instance already has a keystore configured by another OS user, stop this process and configure the path in keystore.init.properties file, then run this command again. See the JasperReports Server Security Guide for details. Do you want to continue? (y/N)
aug 16 12:40:42:484 [Thread-1, cabi] [exec]
aug 16 12:40:42:484 [Thread-1, cabi] [exec] BUILD FAILED
aug 16 12:40:42:484 [Thread-1, cabi] [exec] C:\Nimsoft\c\buildomatic\build.xml:44: The following error occurred while executing this line:
aug 16 12:40:42:485 [Thread-1, cabi] [exec] C:\Nimsoft\c\buildomatic\bin\setup.xml:354: Keystore creation was canceled.
Original Message:
Sent: Aug 23, 2024 03:53 PM
From: Larry Fitzgerald
Subject: Converting DX UIM installation to non-admin user
Hello All,
Currently the account running the Nimsoft Robot service on Primary Hub and OC servers is in the Local Admins group. We've also used this account to login to the server locally and run the installs/upgrades. Is this just as simple as removing it from local admin, granting the account Logon as Service rights and Full Control to the UIM Installation folder? Does anyone know of any other gotchas they've encountered when trying to do this?
Thanks,
Larry