User impersonation on Windows
For agents running on Windows platforms, Deployment Automation provides a program that handles impersonation.
You implement impersonation for Windows-based agents the same way you do for UNIX- or Linux-based agents. When you configure a process step, you specify the credentials that will be used to login on the agent when the step is processed. This is a different user than the user under which the agent normally runs.
To run process steps on a Windows agent, the user must:
- have a user name and password stored on the target agent computer
- be part of the Administrators group
- have, at a minimum, the following privileges:
SE_INCREASE_QUOTA_NAME (adjust memory quotas for a process) SE_ASSIGNPRIMARYTOKEN_NAME (replace a process-level token) SE_RESTORE_NAME (Restore files and directories) SE_BACKUP_NAME (Back up files and directories) SE_TCB_NAME (Act as part of the operating system; Required for Windows Vista and later)
In addition, they must have at least one of the following logon permissions. SE_INTERACTIVE_LOGON_NAME (Log on locally) SE_SERVICE_LOGON_NAME (Log on as a service) SE_BATCH_LOGON_NAME (Log on as a batch job)