If you would like to change the account that a CloudReady Private Site is running under (or logging in as) then you will have some extra work to do. CloudReady Private Sites require permissions to the filesystem, C:\ProgramData\Exoprise, and the account that the Private Sites are running under requires the ability to stop and start its own service. Yes, Windows Accounts, by default, do not have permission to stop their own services.
This article will discuss four possible options for how you can correct or alter the account that the Private Site is running under. If these steps are not followed then sensors will not run correctly and your Private Site will not be upgradeable. If the Private Site is not upgradeable then it will eventually stop running. You only have to choose one option to change the account for the CloudReady Private Site - not all 4 options.
1. Uninstall and re-install the Private Site
If you are logged into the machine running the Private Site and you have already installed the Secure Management Shell then you can follow these steps to change the account:
Uninstalling and re-install the Private Site as a different account will make sure that they account has the right permissions to the file system (C:\ProgramData\Exoprise, C:\Program Files (x86)\Exoprise\Service) as well as the permission to start/stop and control the Private Site service itself.
2. Change the account using the command line to adjust the permissions
If you've installed a site already as an account and would like to change the account that the Win32 Service runs under, then you can run an exosvcshell.exe command line to ensure that it has the right permissions. Here are the steps to update the service entries and to assure that the right file permissions are set within the file system:
3. Give Local Administrator Rights to the Account that the Private Site is Running as
A third way of mitigating the self-updating Private Site process after you've changed the account that the service runs as it to give the account Local Administrative privileges to the OS where the Private Site is installed. This may be the easiest way to ensure that the CloudReady Private Site is self-upgradeable and has the proper file permissions needed.
4. Use SubInACL to change the service permission for the account
If you've already changed the account that the Private Site is running as, possibly through the Services snap-in, then you will need to give the right permissions to the filesystem and service control for the account that is running the Private Site.
Because CloudReady Sensors are dynamically deployable to Private Sites, the account that the Private Site runs under needs to be have full control to the C:\ProgramData\Exoprise folder and its child folders. You can change this through Windows Explorer.
Because CloudReady Private Sites are self-healing and self-updating, the account needs to have permissions to write to the C:\Program Files (x86)\Exoprise\Service folder. Follow the instructions just above for the C:\Program Files (x86)\Exoprise\Service folder for the same account.
Because CloudReady Private Sites are self-healing and self-updating, the account that the service is running as (also referred to as 'Log On' as) needs to have permissions to stop and restart the Private Site service (exosvcshell). By default, even if a service is running as an account that account does not have permission to stop and start itself.
To change the permissions for a service, you will need to download the SubInACL.exe tool from Microsoft. This command line utility enables you to view and change permissions for different objects in the Windows system.
To give permission to the account that the Private Site is running under do the following:
More information about the utility and permissions can be found here: http://support2.microsoft.com/default.aspx?scid=kb;en-us;288129.
5. Controlling permissions using Group Policy
You can also control the required permissions from Active Directory Group Policy. As with the above configuration there are folder permissions that need to be granted as well as control of the Private Site service (exosvcshell).