The central computer uses a service account, which is a Windows user account, to log on to the database server, central computer, and agent computers.
All Sentinel Agent Manager service accounts must meet the following requirements in order for Sentinel Agent Manager to function properly:
The account must be a domain account.
The account cannot have a blank password.
The account must be in a trusted domain or in the same domain as the database server and reporting server.
The account must be a member of the local Administrators group on the central computer and all agent computers that the central computer will manage in the domain. If you want the service account to have rights to install agents in other trusted domains, the service account must be a member of the local Administrators group on all agent computers that the central computer will manage in the trusted domain.
The account must be able to access the private keys of self-signed certificates installed in the LocalMachine certificate store on the central computer. When you install a Sentinel Agent Manager central computer, the setup program creates a self-signed certificate and installs the certificate and corresponding private key in the LocalMachine > NetIQ Security Manager certificate store.
NOTE:
If your enterprise has a password expiration policy, consider exempting the service account from your password expiration policy.
If you want to monitor computers in different domains and do not want the central computers to share a common service account, you can install multiple central computers with different service accounts. However, for redundancy to function properly, ensure the service account used by each backup central computer is a member of the local Administrators group on all agents managed by the primary central computer. For more information about configuring primary and backup central computers, see the NetIQ Agent Manager User Guide.
After you install Sentinel Agent Manager using your service account, NetIQ does not recommend modifying service account permissions. Sentinel Agent Manager uses the service account to run services and access configuration information in the AgentManager and AgentManagerCommon databases. If you modify service account permissions either on Sentinel Agent Manager component computers or in SQLÂ Server, Sentinel Agent Manager may no longer be able to function.
NOTE:If the service account cannot access the private key for the default Sentinel Agent Manager certificate, the NetIQ Sentinel Agent Manager service cannot start, and the central computer generates an event 21337 in the Application event log.
To resolve this issue, review the access control list (ACL) of the key container file to ensure the service user has Read and Execute permissions, at minimum. The event 21337 description identifies the key container file name. Check the ACL of the key container file located in the %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys folder to ensure the Sentinel Agent Manager service account has at least Read and Execute permissions. For more information about key containers, see the Microsoft Key Storage and Retrieval documentation.
When you install Sentinel Agent Manager, the setup program adds the following user rights to your new service account:
Act as part of the operating system
Create a token object
Log on as a batch job
Log on as a service