When adding a node (windows server 2016), I'm choosing between WMI and agent polling method.
If I choose "Agent", it appears that the account I input into the credential box will only be used for install and that the local agent will run as "Local System", right?
Is there a way that we can specify the "Log On As" user to be a domain service account instead of "Local System"? (And do this in the solarwinds configuration instead of doing it manually after the install?)
We wanted a little more control over the user that the solarwinds service is running as and we haven't figured out how to configure solarwinds agents to run as a certain user (besides changing it after the install).
You are right, the credentials used for deployment are used for deployment only, the agent then runs under Local System account. If you want to change it, then there is indeed no way to do it from the website, only manually change on the target machine. The documentation does not exist for this, because we do not officially support it with the current code base -> you should create a Feature Request.
For the error with the certificate you are facing, it seems that the user does not have access to C:/ProgramData/Microsoft/Crypto/RSA/MachineKeys where the agent certificate used for communication with poller is stored.
The Agent runs under the local system account by default. This can be changed under the Windows Service Manager to run as any user account you desire with whatever permissions you wish. That could, however, impact what the agent is ultimately able to poll on that endpoint based on the permissions of the user account the Agent is running under. This could also affect updates/upgrades of the Agent, which at a minimum, would need to be done manually to ensure the agent continues to run under that newly created user’s context.
@tony.johnson - thanks for the information.
I have been doing a bit of research on this as well and am trying to discern the appropriate permissions and configuration to achieve. So far, while I believe it's certainly possible... I think the primary focus is to run the agent under a least-privileged domain account for most users so to avoid it having "LOCAL SYSTEM" (e.g. local administrator-like permissions).
I started out my journey here in this article... https://support.solarwinds.com/SuccessCenter/s/article/How-to-create-a-non-administrator-user-for-SA.... This was able to at least speak to the permissions required to poll WMI, DCOM etc. I did some initial testing to understand some of this with just a WMI node etc. The rest though as it relates to running the SolarWinds Agent service in windows, I've been testing with and got it to a point where it starts and then complains about being unable to open the agent certificate. Not sure what that issue may be yet, maybe because the certs are under local machine in the "SolarWinds Agent" certificate store, and the user cannot access... or the user cannot access the private machine key perhaps. I haven't done any triage to that yet...
I'm sure there's additional steps to allow for proper agent functionality and to allow running of a windows service (like allowing Logon as a service)
Ultimately anything I find out (if successful lol) I'll definitely end up sharing for the community at large here and perhaps a new DOC. Provided that's if it's not already documented. I couldn't find anything though.
Any help would be greatly appreciated. Thank you!
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.