User impersonation on Windows

For agents running on Windows platforms, Deployment Automation provides a program that handles impersonation.

You implement impersonation for Windows-based agents the same way you do for UNIX- or Linux-based agents. When you configure a process step, you specify the credentials that will be used to login on the agent when the step is processed. This is a different user than the user under which the agent normally runs.

To run process steps on a Windows agent, the user must:

  • have a user name and password stored on the target agent computer
  • be part of the Administrators group
  • have, at a minimum, the following privileges:
SE_INCREASE_QUOTA_NAME (adjust memory quotas for a process)
SE_ASSIGNPRIMARYTOKEN_NAME (replace a process-level token)
SE_RESTORE_NAME (Restore files and directories)
SE_BACKUP_NAME (Back up files and directories)
SE_TCB_NAME (Act as part of the operating system; Required for Windows Vista and later) 

In addition, they must have at least one of the following logon permissions. SE_INTERACTIVE_LOGON_NAME (Log on locally) SE_SERVICE_LOGON_NAME (Log on as a service) SE_BATCH_LOGON_NAME (Log on as a batch job)