I have read in the Control-M/Agent guide that BMC recommends using AD groups to run jobs on servers; however, I see no documentation on how to setup this up or how it works. Currently we add individual accounts to each agent on the servers, but this becomes burdensome with 20+ accounts on 15+ different servers. Any information or a point the right direction would be grateful.
Thanks,
Configure Control-M agents to use AD groups
Administrative work at individual agent server is unavoidable. It is assumed that all agent servers are in a Windows domain, that they are member servers and that they have "logon as user" enabled.
Hope this help.
- Create a local group at an agent server.
- Permit the group in local security policy according to agent installation manual.
- Add the desired domain user(s) or domain group(s) into the local group.
Hope this help.
I complete "gglau":
If there is a single domain and all the agents are in the domain:
1) create a domain user with the right to run scripts on all agents
2) on all agent after installation start the agent services with the user created in step 1.
The problem can be some agents that arent in a domain: that in the DMZ for example. For these agents there must be a local user instead of the domain user, but normaly are a few agents.
For these agents for the 6.3 version is possible also use agentless tecnology if possible.
If there is a single domain and all the agents are in the domain:
1) create a domain user with the right to run scripts on all agents
2) on all agent after installation start the agent services with the user created in step 1.
The problem can be some agents that arent in a domain: that in the DMZ for example. For these agents there must be a local user instead of the domain user, but normaly are a few agents.
For these agents for the 6.3 version is possible also use agentless tecnology if possible.