SoftTree Technologies SoftTree Technologies
Technical Support Forums
RegisterSearchFAQMemberlistUsergroupsLog in
Permissions / cant modify job time

 
Reply to topic    SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite View previous topic
View next topic
Permissions / cant modify job time
Author Message
Eric.Charbonneau



Joined: 03 Nov 2016
Posts: 8
Country: United States

Post Permissions / cant modify job time Reply with quote
Hello,

We are having a weird issue. It seems that the users group needs some sort of write permission to the c:\24x7 folder and if it does not have that permission we get errors as well as not being able to modify the job times in the web console. It reverts job times back to 00:00

When we grant the users group "write" permissions to c:\24x7 we can launch the desktop scheduler and change job trimes in the web console BUT we get flagged by our security software for allowing users to write to c:\24x7 and c\24x7\bin

Can you give us best practices on how to permission the folders?
Tue Jul 16, 2019 11:13 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7034

Post Reply with quote
If Windows UAC is enabled, group permissions don't have any impact on the folder access. You need to give explicit permission to the account running the scheduler. If you also allow users to run it in graphical desktop mode, then also to every user who runs it.
Tue Jul 16, 2019 12:43 pm View user's profile Send private message
Eric.Charbonneau



Joined: 03 Nov 2016
Posts: 8
Country: United States

Post Reply with quote
SysOp wrote:
If Windows UAC is enabled, group permissions don't have any impact on the folder access. You need to give explicit permission to the account running the scheduler. If you also allow users to run it in graphical desktop mode, then also to every user who runs it.



I have done this and its still an issue if UAC is enabled on the servers which is a policy in my organization.


the 24x7 service is running as local system. I gave local system + all the users explicitly full control on the c:\24x7 directory. Is there anything else i can to do resolve this?
Tue Jan 14, 2020 10:52 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7034

Post Reply with quote
I'd like to clarify the setup.

If you have the 24x7 running as a service using LocalSystem account, and you use the 24x7 web console to connect to it and make the changes, the changes are made actually by the service using the local system account, and so UAC is not a factor and doesn't interfere in this case.

But if you remote desktop to the server, and start 24x7 in the desktop mode, you run it under your own account, and all the changes you make are saved using your account, which is a subject to UAC restrictions.
Tue Jan 14, 2020 12:00 pm View user's profile Send private message
Eric.Charbonneau



Joined: 03 Nov 2016
Posts: 8
Country: United States

Post Reply with quote
SysOp wrote:
I'd like to clarify the setup.

If you have the 24x7 running as a service using LocalSystem account, and you use the 24x7 web console to connect to it and make the changes, the changes are made actually by the service using the local system account, and so UAC is not a factor and doesn't interfere in this case.

But if you remote desktop to the server, and start 24x7 in the desktop mode, you run it under your own account, and all the changes you make are saved using your account, which is a subject to UAC restrictions.


We run this under the web console. When I disable UAC the problem goes away but once the GPO enables itself again. The problem returns... Now this is only an issue when we need to modify a job but i would like to find a working solution to this.


The 24x7 Scheduler and the Web Console are both running under "Local Service". We login to the web console using our active directory credentials.

Thank You
Tue Jan 14, 2020 4:39 pm View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7034

Post Reply with quote
Per Microsoft docs, LocalSystem has complete access to the local system and UAC cannot do anything about it.
https://docs.microsoft.com/en-us/windows/win32/ad/the-localsystem-account

Are you sure it's actually .\LocalSystem and not some other domain account with similar spelling?

Are the files located on a network share mapped using some other account by any chance?
Tue Jan 14, 2020 6:35 pm View user's profile Send private message
Display posts from previous:    
Reply to topic    SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite All times are GMT - 4 Hours
Page 1 of 1

 
Jump to: 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


 

 

Powered by phpBB © 2001, 2005 phpBB Group
Design by Freestyle XL / Flowers Online.