Impersonation on Windows Systems

For agents running on Windows platforms, Deployment Automation provides a program that handles impersonation.

You implement impersonation for Windows-based agents the same way you do for UNIX- or Linux-based agents. When you configure a process step, you specify the credentials that will be used to login on the agent when the step is processed. This is a different user than the user under which the agent normally runs.

To run process steps on a Windows agent, the user must:

• have a user name and password stored on the target agent computer
• be part of the Administrators group
• have, at a minimum, the following privileges:

SE_INCREASE_QUOTA_NAME (adjust memory quotas for a process)
SE_ASSIGNPRIMARYTOKEN_NAME (replace a process-level token)
SE_RESTORE_NAME (Restore files and directories)
SE_BACKUP_NAME (Back up files and directories)
SE_TCB_NAME (Act as part of the operating system; Required for Windows Vista and later)
   

In addition, they must have at least one of the following logon permissions.

    
SE_INTERACTIVE_LOGON_NAME (Log on locally)
SE_SERVICE_LOGON_NAME (Log on as a service)
SE_BATCH_LOGON_NAME (Log on as a batch job)