Forum Discussion

Mark_Shoger's avatar
15 years ago

Odd permission issue with HADHelper and EV

Hi all,
 
Got an interesting issue. We're using EV8SP2 on top of VCS 5.1. As you know, the HADHelper service needs to have certain rights associated with the VCS service account to make thing work properly in the cluster. You can assign those rights using the EVRIGHTS utility.
 
When we check our rights, we should see this:
C:\>hadhelper /showconfig
Logon user  = fqdn.removed\_VCS_SERVICE.
Security ID = removed.
 
The user has following privileges:
 * SeTcbPrivilege (Act as part of the operating system).
 * SeBackupPrivilege (Back up files and directories).
 * SeIncreaseQuotaPrivilege (Adjust memory quotas for a process).
 * SeIncreaseBasePriorityPrivilege (Increase scheduling priority).
 * SeRestorePrivilege (Restore files and directories).
 * SeServiceLogonRight (Log on as a service).
 
'*' denotes permissions required for HADHelper service.
 
The command completed successfully.
 
What we actually see is this:
C:\>hadhelper /showconfig
Logon user  = fqdn.removed\_VCS_SERVICE.
Security ID = removed.
The user has following privileges:
 * SeTcbPrivilege (Act as part of the operating system).
 * SeBackupPrivilege (Back up files and directories).
 * SeIncreaseQuotaPrivilege (Adjust memory quotas for a process).
 
'*' denotes permissions required for HADHelper service.
 
Missing priveledges required for HADHelper service.
 
 * SeIncreaseBasePriorityPrivilege (Increase scheduling priority).
 * SeRestorePrivilege (Restore files and directories).
 * SeServiceLogonRight (Log on as a service).
 
The command completed successfully.
 
If we use the EVRIGHTS command to re-assign the rights, they appear to work fine for a time. Within 24 hours, they're gone again. What we're pretty sure we're seeing is a GPO re-setting the perms. However, NOTHING BREAKS!
 
Here's what we found yesterday. The 3 perms that are "working" are all ones that are listed in the RSOP summary as "Not Defined." The 3 that are "broken" all have entries defined for them. Now the entries that are defined are all correct, i.e., the VCS service account is a member of the groups that are listed for those rights.
 
So our thinking is that the HADHelper utility isn't handling those permission reports properly because nothing is broken, but it apparently doesn't like not being the one in control of those rights.
 
Has anyone seen this or anything like it before? Is there a fix/need to fix this?
  • Hi Mark,

    It sounds like the HADHelper utility is not getting the expected response when probing the permissions.  There is nothing kept on who or what assigns the permissions so I would think that the correct value is not being returned when the GPO sets it.  If everything is working fine I would not worry about it.  However, if you are concerned then it would require that the GPO be altered.

    Thanks,
    Wally
  • Hi Mark,

    It sounds like the HADHelper utility is not getting the expected response when probing the permissions.  There is nothing kept on who or what assigns the permissions so I would think that the correct value is not being returned when the GPO sets it.  If everything is working fine I would not worry about it.  However, if you are concerned then it would require that the GPO be altered.

    Thanks,
    Wally