...
- For user switching the Agent has to be operated for a user account or service account, not for the system account.
- The credentials of the target user for which a job should be executed are not stored with JobScheduler configuration data. Instead the user account that runs the JobScheduler Windows Service stores credentials with the Windows Credential Manager. When a job should be executed then the JobScheduler Agent reads the credentials from the Windows Credential Manager. Reading credentials that have previously been stored using the same user account works without the need to specify a password. Therefore the solution is free from use of passwords.
- A login is performed with the target user credentials and the user's environment is active when executing the job.
...
- User switching applies to
- All job types (standalone jobs and job chain jobs)
- Shell Jobs
- API jobs in any of the supported languages
- Pre-processing and post-processing Monitors
...
Credential Manager
The Windows Credential Manager is accessible via its
...
- Open the Credential Manager GUI from the JobScheduler Agent account.
- English: Control Panel -> Credential Manager
- German: Systemsteuerung -> Anmeldeinformationsverwaltung
- Select the Credential Type
Windows Authentication->Generic- Add credential information to for a target user with the following input fields:
- Intenet or Netzwerkaddress
- For use with JobScheduler this field holds the "target name" of the crendentialscredentials.
- You are free to use any characters to specify a unique identifier for the credentials.
- User name
- The account
- for the target user can be specified by Unicode characters and digits including space, comma
- , _, -, \
- and @
- For
- For domain users specify the user principal name (UPN) in the format
username@DOMAIN- The format
DOMAIN\usernameis not supported
- The format
- For domain users specify the user principal name (UPN) in the format
- Password
- Intenet or Netzwerkaddress
- Add credential information to for a target user with the following input fields:
Manage credentials with the Command Line Interface
- CMD unter der
Agent-UserKennung starten.
- Open a Windows console window (
cmd.exe) for the JobScheduler Agent account.
Use the following commands to add credentials for a target user:
Code Block language bash # Add credentials for a local user cmdkey /generic:RUN_AS_JOBUSER
# Eintrag mit einem lokalen Benutzer hinzufügen/user:JOBUSER /pass:PASSWORD
# Eintrag mit einem Domain Benutzer hinzufügen# Add credentials for a domain user cmdkey /generic:RUN_AS_JOBUSER /user:JOBUSER@DOMAIN /pass:PASSWORD # Show all credentials cmdkey /list
Permissions
Permissions are required for the JobScheduler Agent account and for the target user of a job.
- To manage permissions switch to
- English:
Control panel-> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment - German: Systemsteuerung -> Verwaltung -> Lokale Sicherheitsrichlinie -> Lokale Richtlinien -> Zuweisen von Benutzerrechten
- English:
- Right-click a permission and use the
Properties -> Add user or groupaction.
...
# Alle Einträge anzeigencmdkey /listPermissions for the Agent Account
xxxEnglish: Replace a process level token- German:
Ersetzen eines Tokens auf Prozessebene
xxxEnglish: Adjust memory quotas for a process- German:
Anpassen von Speicherkontingenten für einen Prozess
Load target user profile
If the profile of the target user should be loaded then the Agent account requires the Administrator role, see LoadUserProfile, and permissions:
xx- English:
Back up files and directories - German:
Sichern von Dateien und Verzeichnissen
- English:
- xx
- English:
Restore files and directories - German:
Wiederherstellen von Dateien und Verzeichnissen
- English:
Hints
Restart the JobScheduler Agent Windows Service in order to apply changes to roles and permissions.
Permissions for Target User
- English:
Log on as a batch job - German:
Anmelden als Stapelverarbeitungsauftrag - x
Prerequisites
...