Exoprise CloudReady® Help
Search:     Advanced search

How to Change Private Site Log On and Permissions

Article ID: 98
Last updated: 07 Oct, 2015

If you would like to change the account that a CloudReady Private Site is running under (or logging in as) then you will have some extra work to do. CloudReady Private Sites require permissions to the filesystem, C:\ProgramData\Exoprise, and the account that the Private Sites are running under requires the ability to stop and start its own service. Yes, Windows Accounts, by default, do not have permission to stop their own services.

This article will discuss four possible options for how you can correct or alter the account that the Private Site is running under. If these steps are not followed then sensors will not run correctly and your Private Site will not be upgradeable. If the Private Site is not upgradeable then it will eventually stop running. You only have to choose one option to change the account for the CloudReady Private Site - not all 4 options.

1. Uninstall and re-install the Private Site

If you are logged into the machine running the Private Site and you have already installed the Secure Management Shell then you can follow these steps to change the account:

  1. Open the Exoprise Management Client and Sign In to CloudReady
  2. From the left menu, click Sites -> Manage Local Site
  3. Uninstall the site
  4. Re-Install the site by clicking on the Manage Local Site menu item again
  5. Make sure to choose the same private key otherwise your existing sensors will need to be re-configured
  6. When you re-install choose your new account to run the sensors as

Uninstalling and re-install the Private Site as a different account will make sure that they account has the right permissions to the file system (C:\ProgramData\Exoprise, C:\Program Files (x86)\Exoprise\Service) as well as the permission to start/stop and control the Private Site service itself.

2. Change the account using the command line to adjust the permissions

If you've installed a site already as an account and would like to change the account that the Win32 Service runs under, then you can run an exosvcshell.exe command line to ensure that it has the right permissions. Here are the steps to update the service entries and to assure that the right file permissions are set within the file system:

  1. Open a command prompt with Administrative privileges (Run-as Administrator)
  2. Stop the service using
    net stop exosvcshell
  3. Navigate to where the CloudReady Private Site is installed. This is C:\Program Files (x86)\Exoprise\Service
  4. Run the exosvcshell.exe with the following command-line:
    exosvcshell.exe --set-account --service-user <account to run service> --service-password <password for service account>
  5. Restart the service and make sure that your sensors are running correctly. To restart the service use:
    net start exosvcshell

3. Give Local Administrator Rights to the Account that the Private Site is Running as

A third way of mitigating the self-updating Private Site process after you've changed the account that the service runs as it to give the account Local Administrative privileges to the OS where the Private Site is installed. This may be the easiest way to ensure that the CloudReady Private Site is self-upgradeable and has the proper file permissions needed.

4. Use SubInACL to change the service permission for the account

If you've already changed the account that the Private Site is running as, possibly through the Services snap-in, then you will need to give the right permissions to the filesystem and service control for the account that is running the Private Site.

Folder Permissions

Because CloudReady Sensors are dynamically deployable to Private Sites, the account that the Private Site runs under needs to be have full control to the C:\ProgramData\Exoprise folder and its child folders. You can change this through Windows Explorer.

  1. Open the File Explorer
  2. Navigate to the C:\ProgramData folder. Its hidden sometimes.
  3. In the right pane, right click on the Exoprise folder and select Properties
  4. Click the Security Tab, then click Edit
  5. Add Full Control permissions for the account (local or domain) to the folder

Because CloudReady Private Sites are self-healing and self-updating, the account needs to have permissions to write to the C:\Program Files (x86)\Exoprise\Service folder. Follow the instructions just above for the C:\Program Files (x86)\Exoprise\Service folder for the same account.

Service Control

Because CloudReady Private Sites are self-healing and self-updating, the account that the service is running as (also referred to as 'Log On' as) needs to have permissions to stop and restart the Private Site service (exosvcshell). By default, even if a service is running as an account that account does not have permission to stop and start itself.

To change the permissions for a service, you will need to download the SubInACL.exe tool from Microsoft. This command line utility enables you to view and change permissions for different objects in the Windows system.

Download the SubInACL.exe tool from Microsoft

To give permission to the account that the Private Site is running under do the following:

  1. Download and extract the SubInACL tool from Microsoft
  2. Open a command prompt and navigate to where you extracted the utility
  3. Gran the pause, start, stop permissions to the account for the Private Site service (exosvcshell), for example:

subinacl.exe /service exosvcshell /grant=DOMAIN\username=PTO

More information about the utility and permissions can be found here: http://support2.microsoft.com/default.aspx?scid=kb;en-us;288129.

5. Controlling permissions using Group Policy

You can also control the required permissions from Active Directory Group Policy. As with the above configuration there are folder permissions that need to be granted as well as control of the Private Site service (exosvcshell).

Also read
document CloudReady Security Overview
document Private Sites Overview

Prev   Next
Private Sites Overview     What are the installation requirements?