Permissions and rights that are required by the Veritas Cluster Server Helper, or HADHelper, service in Veritas Storage Foundation and High Availability Solutions for Windows

Article:TECH31331  |  Created: 2004-01-30  |  Updated: 2014-04-07  |  Article URL http://www.symantec.com/docs/TECH31331
Article Type
Technical Solution

Product(s)


Issue



Permissions and rights that are required by the Veritas Cluster Server Helper, or HADHelper, service in Veritas Storage Foundation and High Availability Solutions for Windows


Cause



The VCS (Veritas Cluster Server) Helper, or HADHelper, is the service that VCS uses to perform many operations that require administrator permissions.
 


Solution



SECTION 1 - Required Permissions

The user account that is used by the HADHelper service must have permissions that are equivalent to the following:

1. Local Administrator for each node.
2. Domain User

Note: It is sufficient if the account is a member of the Domain Users group if Domain Users group is itself a member of the Local Administrators group on each node.


SECTION 2 - Required Rights

The account that is used by the HADHelper service must have the following rights:

1. Act as part of the operating system
2. Back up files and directories
3. Adjust memory quotas for a process
4. Increase scheduling priority
5. Restore files and directories
6. Log on as a service
7. Add workstations to Domain (this is available by default to all Authenticated Users)

To view the rights that have been granted to the HADHelper account, run the following command:

hadhelper /showconfig

This command will return a list that shows whether or not the HADHelper account has been assigned the required rights.

The hadhelper /showconfig command uses a Microsoft internal Application Programming Interface (API) function called "LsaEnumerateAccountRights".
 
It does not display the privileges inherited by virtue of Group Membership. However, explicit user Security Policy Membership is required.

To automatically assign the required rights to the HADHelper account, run the following command:

HADHelper /configure /user:<user_name> [/password:<password>]

If the "/user:<user_name> [/password:<password>]" switch is not enter the command will prompt for the username and password

Note: The command does not check or add the "Add workstations to Domain" right. In addition, it does not check group memberships.
 


Legacy ID



267061


Article URL http://www.symantec.com/docs/TECH31331


Terms of use for this information are found in Legal Notices