Permissions and rights that are required by the Veritas Cluster Server Helper, or HADHelper, service in Veritas Storage Foundation and High Availability Solutions for Windows
| Article:TECH31331 | | | Created: 2004-01-30 | | | Updated: 2012-05-16 | | | Article URL http://www.symantec.com/docs/TECH31331 |
Problem
Permissions and rights that are required by the Veritas Cluster Server Helper, or HADHelper, service in Veritas Storage Foundation and High Availability Solutions for Windows
Cause
The VCS (Veritas Cluster Server) Helper, or HADHelper, is the service that VCS uses to perform many operations that require administrator permissions.
Solution
SECTION 1 - Required Permissions
The user account that is used by the HADHelper service must have permissions that are equivalent to the following:
1. Local Administrator for each node.
2. Domain User
Note: It is sufficient if the account is a member of the Domain Users group if Domain Users group is itself a member of the Local Administrators group on each node.
SECTION 2 - Required Rights
The account that is used by the HADHelper service must have the following rights:
1. Act as part of the operating system
2. Back up files and directories
3. Adjust memory quotas for a process
4. Increase scheduling priority
5. Restore files and directories
6. Log on as a service
7. Add workstations to Domain (this is available by default to all Authenticated Users)
To view the rights that have been granted to the HADHelper account, run the following command:
hadhelper /showconfig
This command will return a list that shows whether or not the HADHelper account has been assigned the required rights.
The hadhelper /showconfig command uses a Microsoft internal Application Programming Interface (API) function called "LsaEnumerateAccountRights" which expects explicit user Security Policy Membership. It does not display the privileges inherited by virtue of Group Membership.
To automatically assign the required rights to the HADHelper account, run the following command:
HADHelper /configure /user:<user_name> [/password:<password>]
The user account that is used by the HADHelper service must have permissions that are equivalent to the following:
1. Local Administrator for each node.
2. Domain User
Note: It is sufficient if the account is a member of the Domain Users group if Domain Users group is itself a member of the Local Administrators group on each node.
SECTION 2 - Required Rights
The account that is used by the HADHelper service must have the following rights:
1. Act as part of the operating system
2. Back up files and directories
3. Adjust memory quotas for a process
4. Increase scheduling priority
5. Restore files and directories
6. Log on as a service
7. Add workstations to Domain (this is available by default to all Authenticated Users)
To view the rights that have been granted to the HADHelper account, run the following command:
hadhelper /showconfig
This command will return a list that shows whether or not the HADHelper account has been assigned the required rights.
The hadhelper /showconfig command uses a Microsoft internal Application Programming Interface (API) function called "LsaEnumerateAccountRights" which expects explicit user Security Policy Membership. It does not display the privileges inherited by virtue of Group Membership.
To automatically assign the required rights to the HADHelper account, run the following command:
HADHelper /configure /user:<user_name> [/password:<password>]
If the "/user:<user_name> [/password:<password>]" switch is not enter the command will prompt for the username and password
Note: The command does not check or add the "Add workstations to Domain" right. In addition, it does not check group memberships.
|
|
Legacy ID
267061
Article URL http://www.symantec.com/docs/TECH31331
Terms of use for this information are found in Legal Notices
Thank you.