Page History

toc

Scope

The Universal Agent is frequently running in the system account or a service account and will execute jobs within the context and permission of this account.
Running a job as a different user includes to login as that user, optionally load the user profile and execute commands in this context.
User switching applies to
- All job types (standalone jobs and job chain jobs)
- Shell Jobs
- API jobs in any of the supported languages
- Pre-processing and post-processing Monitors
This article applies to the Universal Agent for Windows only. For Unix environments there is no need for scheduler based user switching as the built-in sudo and su capabilities provide this functionality.

...

Use the following commands to add credentials for a target user:

Code Block

title	Adding credentials with the cmdkey.exe utility

# Add credentials for a local user
cmdkey /generic:run_as_jobuser /user:jobuser /pass:password
 
# Add credentials for a domain user
cmdkey /generic:run_as_jobuser /user:jobuser@DOMAIN /pass:password
 
 
# Show all credentials
cmdkey /list

Permissions

...

Icacls

Error Code: COM-80020009

...

Code Block

language	java
title	English

COM-80020009 java.lang.RuntimeException: Windows command failed: C:\Windows\System32\icacls.exe => JOBUSER: No mapping between account names and security IDs was done.

...

Error Code: WINDOWS-1326

Code Block

language	java
title	English: WINDOWS-1326

WINDOWS-1326 (LogonUser) Logon failure: The user name or password is incorrect.

Code Block

language	java
title	German: WINDOWS-1326
collapse	true

WINDOWS-1326 (LogonUser) Anmeldung fehlgeschlagen: unbekannter Benutzername oder falsches Kennwort.

Job-User Credentials im Creadentials Store sind falsch.

Eigentlich es kann nur das Kennwort falsch sein, weil im Schritt davor (icacls) der Benutzername bereits akzeptiert wurde (icacls wirft eine Exception, wenn der Benutzername nicht bekannt ist).

Oder man verwendet bei einem Domain Benutzer die falsche Syntax DOMAIN\username statt username@DOMAIN - icacls kann mit DOMAIN\username umgehen, JobScheduler LogonUsernicht (nur username@DOMAIN).

Prüfen z.B. mit runas oder CMD als dieser Benutzer ausführen

Error Code: WINDOWS-1385

Code Block

language	java
title	English: WINDOWS-1385

WINDOWS-1385 (LogonUser) Logon failure: the user has not been granted the requested logon type at this computer.

Code Block

language	java
title	German: WINDOWS-1385
collapse	true

WINDOWS-1385 (LogonUser) Anmeldung fehlgeschlagen: Der Benutzer besitzt nicht den benötigten Anmeldetyp auf diesem Computer.

The targert user for the job is not assigned the permission

Permission: SE_BATCH_LOGON_NAMEEnglish: Log on as a batch job 
German: Anmelden als Stapelverarbeitungsauftrag

LoadUserProfile

Error Code: WINDOWS-1314

...

The Agent account are not assigned the following permissions:

Permission: x SE_BACKUP_NAME
- English: Back up files and directories
- German: Sichern von Dateien und Verzeichnissen
Permission: xx SE_RESTORE_NAME
- English: Restore files and directories
- German: Wiederherstellen von Dateien und Verzeichnissen

Error Code: WINDOWS-5

Agent-User ist kein Administrator

Code Block

language	java
title	English: WINDOWS-5

WINDOWS-5 (LoadUserProfile) Access is denied

Code Block

language	java
title	German: WINDOWS-5
collapse	true

WINDOWS-5 (LoadUserProfile) Zugriff verweigert

The job  is configured to load the target user profile but the Agent account is not assigned the Administrator role. 
This role is required for the Agent acount if the target user profile should be loaded.

API-Job stderr

jobscheduler_agent_<port>.log - die Berechtigungen für den Job-User müssen für diese Datei manuell gesetzt werden (Lesen, Schreiben)

Code Block

language	java
title	jobscheduler_agent_<port>.log (Access is denied)

[info]   SCHEDULER-726  Task runs on remote scheduler http://localhost:5445
[info]   SCHEDULER-918  state=starting (at=2017-08-02 15:00:47.803+0200)
[info]   [stderr] log4j:ERROR setFile(null,true) call failed.
[info]   [stderr] java.io.FileNotFoundException: <agent_data>\logs\jobscheduler_agent_<port>.log (Access is denied)
[info]   [stderr]     at java.io.FileOutputStream.open0(Native Method)
[info]   [stderr]     at java.io.FileOutputStream.open(Unknown Source)
[info]   [stderr]     at java.io.FileOutputStream.<init>(Unknown Source)
[info]   [stderr]     at java.io.FileOutputStream.<init>(Unknown Source)
[info]   [stderr]     at org.apache.log4j.FileAppender.setFile(FileAppender.java:294)
[info]   [stderr]     at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:165)
[info]   [stderr]     at org.apache.log4j.DailyRollingFileAppender.activateOptions(DailyRollingFileAppender.java:223)
[info]   [stderr]     at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:307)
[info]   [stderr]     at org.apache.log4j.xml.DOMConfigurator.parseAppender(DOMConfigurator.java:295)
[info]   [stderr]     at org.apache.log4j.xml.DOMConfigurator.findAppenderByName(DOMConfigurator.java:176)
[info]   [stderr]     at org.apache.log4j.xml.DOMConfigurator.findAppenderByReference(DOMConfigurator.java:191)
[info]   [stderr]     at org.apache.log4j.xml.DOMConfigurator.parseChildrenOfLoggerElement(DOMConfigurator.java:523)
[info]   [stderr]     at org.apache.log4j.xml.DOMConfigurator.parseCategory(DOMConfigurator.java:436)
[info]   [stderr]     at org.apache.log4j.xml.DOMConfigurator.parse(DOMConfigurator.java:1004)
[info]   [stderr]     at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java:872)
[info]   [stderr]     at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java:778)
[info]   [stderr]     at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:483)
[info]   [stderr]     at org.apache.log4j.LogManager.<clinit>(LogManager.java:127)
[info]   [stderr]     at org.slf4j.impl.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:64)
[info]   [stderr]     at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:285)
[info]   [stderr]     at com.sos.scheduler.engine.common.scalautil.Logger$.apply(Logger.scala:104)
[info]   [stderr]     at com.sos.scheduler.engine.taskserver.TaskServerMain$.<init>(TaskServerMain.scala:22)
[info]   [stderr]     at com.sos.scheduler.engine.taskserver.TaskServerMain$.<clinit>(TaskServerMain.scala)
[info]   [stderr]     at com.sos.scheduler.engine.taskserver.TaskServerMain.main(TaskServerMain.scala)
[info]   [stderr] log4j:ERROR Either File or DatePattern options are not set for appender [file].

jobscheduler_agent_<port>.log - die Berechtigungen für den Job-User müssen für diese Datei manuell gesetzt werden (Lesen, Schreiben)

Space shortcuts

Page tree

Versions Compared

Old Version 20

New Version 21

Key

Scope

Permissions

Icacls

Error Code: COM-80020009

Code Block
language java
title English
COM-80020009 java.lang.RuntimeException: Windows command failed: C:\Windows\System32\icacls.exe => JOBUSER: No mapping between account names and security IDs was done.
...

Error Code: WINDOWS-1326

Error Code: WINDOWS-1385

LoadUserProfile

Error Code: WINDOWS-1314

Error Code: WINDOWS-5

API-Job stderr

Space shortcuts

Page tree

Page History

Versions Compared

Old Version 20

New Version 21

Key

Scope

Permissions

Icacls

Error Code: COM-80020009

Code BlocklanguagejavatitleEnglishCOM-80020009 java.lang.RuntimeException: Windows command failed: C:\Windows\System32\icacls.exe => JOBUSER: No mapping between account names and security IDs was done....

Error Code: WINDOWS-1326

Error Code: WINDOWS-1385

LoadUserProfile

Error Code: WINDOWS-1314

Error Code: WINDOWS-5

API-Job stderr

Code Block
language java
title English
COM-80020009 java.lang.RuntimeException: Windows command failed: C:\Windows\System32\icacls.exe => JOBUSER: No mapping between account names and security IDs was done.
...