Add or Remove the AgilePoint Service Account in Your Windows Administrators Group
To manage the AgilePoint Service Account in the Windows Administrators group on your AgilePoint Server machine, do the procedures in this topic.
Prerequisites
- AgilePoint NX OnPremises or AgilePoint NX Private Cloud.
- The pre-installation instructions are complete.
- AgilePoint Server is installed and configured.
- Sign in to the AgilePoint Server machine as an administrator.
Good to Know
- When the AgilePoint Server is installed, the AgilePoint Service Account is added to these groups:
- Administrator
- Performance Monitor Users
- IIS_IUSRS
- adHocAdmin
The adHocAdmin group is required for Report Center.
For information about the various AgilePoint NX administrator accounts and administrator roles, refer to Administrator Types and Permission Groups.
- For security reasons, some organizations want to delete the AgilePoint Service Account from the Windows Administrators group. The AgilePoint Service Account must be a member of the Administrators group during installation and upgrade. However, you can delete the AgilePoint Service Account from this group during normal operations.
- The AgilePoint Service Account must be a member of all other required Windows groups during normal operations.
Delete the AgilePoint Service Account from the Windows Administrators Group on the AgilePoint Server Machine
To delete the AgilePoint Service Account from the Windows Administrators group on the AgilePoint Server machine, do the procedure in this topic.
How to Start
- On your AgilePoint Server machine, click Start, and type Run.
- Click Run.
- On the Run screen, in the Open field, enter services.msc.
- Click OK.
Procedure
- Stop these Windows services:
Windows Service Description Data Services
- Function:
- AgilePoint Data Services.
- Default Value:
- AgilePointDataServices
AgilePoint Server Instance
- Function:
- The Windows service associated with an AgilePoint Server instance.
- Default Value:
- AgilePointServerInstance
W3SVC
- Function:
- Controls the HTTP protocol and HTTP performance counters for IIS.
- Default Value:
- W3SVC
- Delete the AgilePoint Service Account from the Windows group, Administrators.
- Add the AgilePoint Service Account to the Windows group, Event Log Readers.
Give Windows Registry and Event Log Access to the AgilePoint Service Account
To give Windows Registry access permission to the AgilePoint Service Account, do the procedure in this topic.
Good to Know
- If you delete the AgilePoint Service Account from the Windows Administrators group, you must give permission to the AgilePoint Service Account to access the Windows event logs and some Registry keys.
Prerequisites
How to Start
- On your AgilePoint Server machine, click Start, and type Run.
- Click Run.
- In the Open field, enter regedit.
- Click OK.
Procedure
- Right-click each of the following registry nodes to add the AgilePoint Service Account. Set the Permissions to Full Control:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Ascentn
Give AgilePoint File System Access Permission to the AgilePoint Service Account
To give the AgilePoint file system access to the AgilePoint Service Account, do the procedure in this topic.
Good to Know
- If you delete the AgilePoint Service Account from the Windows Administrators group, you must complete this procedure so that AgilePoint NX can write logs and save and delete temporary files.
Prerequisites
How to Start
- On your AgilePoint Server machine, go to the (NX Portal installation folder) C:\Program Files\AgilePoint\AgilePointWebApplication\AgilePointPortal.
Procedure
- Right-click the AgilePoint folder, and click Properties.
- On the AgilePoint Properties screen, on the Security tab, click Edit.
- On the Permissions for AgilePoint screen, on the Security tab, add AgilePoint Service Account.
- Set the Permissions to Full Control.
Bind the AgilePoint Service Account to the AgilePoint Server Ports
To bind the AgilePoint Service Account to the AgilePoint Server ports, do the procedure in this topic.
Good to Know
- To give access permissions to the AgilePoint Service Account for a portion of the HTTP URL namespace to create services, you can bind the AgilePoint Service Account to the AgilePoint Server ports. Reservations are URL prefixes, that covers all sub-paths of the reservation path.
Prerequisites
How to Start
- On your AgilePoint Server machine, right-click Start, and then click Command Prompt (Admin).
Procedure
- In the command prompt, run one of these groups of commands:
The domain name is only necessary if your AgilePoint Service Account belongs to an Active Directory domain.
- If AgilePoint Server uses SSL:
- BasicHttp
Format:
netsh http add urlacl url=http://+:[BasicHttp port]/ user=[domain name]\[AgilePoint Service Account user name]
Example:
netsh http add urlacl url=http://+:13489/ user=MYDOMAIN\APServiceAdmin
- WSHttp port
Format:
netsh http add urlacl url=http://+:[WSHttp port]/ user=[domain name]\[AgilePoint Service Account user name]
Example:
netsh http add urlacl url=http://+:13487/ user=MYDOMAIN\APServiceAdmin
- TCP port
Format:
netsh http add urlacl url=http://+:[TCP port]/ user=[domain name]\[AgilePoint Service Account user name]
Example:
netsh http add urlacl url=http://+:13488/ user=MYDOMAIN\APServiceAdmin
- WebHttp (Rest) port
Format:
netsh http add urlacl url=http://+:[WebHttp port]/ user=[domain name]\[AgilePoint Service Account user name]
Example:
netsh http add urlacl url=http://+:13490/ user=MYDOMAIN\APServiceAdmin
- BasicHttp
- If AgilePoint Server does not use SSL:
- BasicHttp
Format:
netsh http add urlacl url=http://+:[BasicHttp port]/user=[domain name]\[AgilePoint Service Account user name]
Example:
netsh http add urlacl url=http://+:13489/user=MYDOMAIN\APServiceAdmin
- WSHttp port
Format:
netsh http add urlacl url=https://+:[WSHttp port]/ user=[domain name]\[AgilePoint Service Account user name]
Example:
netsh http add urlacl url=https://+:13487/ user=MYDOMAIN\APServiceAdmin
- TCP port
Format:
netsh http add urlacl url=https://+:[TCP port]/ user=[domain name]\[AgilePoint Service Account user name]
Example:
netsh http add urlacl url=https://+:13488/ user=MYDOMAIN\APServiceAdmin
- WebHttp (Rest) port
Format:
netsh http add urlacl url=https://+:[WebHttp port]/ user=[domain name]\[AgilePoint Service Account user name]
Example:
netsh http add urlacl url=https://+:13490/ user=MYDOMAIN\APServiceAdmin
- BasicHttp
- If AgilePoint Server uses SSL:
Give Access to the AgilePoint Service Account to Start and Stop Windows Services
To give access to the AgilePoint Service Account to start and stop the AgilePoint Windows Services without being a Windows administrator, do the procedure in this topic.
Prerequisites
- Sign in to the AgilePoint Server machine as an administrator.
- Delete the AgilePoint Service Account from the Windows Administrators Group on the AgilePoint Server Machine.
- Download and install the subinacl.exe tool from Microsoft:
http://www.microsoft.com/en-us/download/details.aspx?id=23510
Good to Know
- If there is more than one AgilePoint server instance, do this procedure for each AgilePoint server instance.
To get the names of your AgilePoint server instances, refer to AgilePoint Server Manager.
- You must complete this procedure for these Windows services:
Windows Service Description AgilePoint Server Instance
- Function:
- The Windows service associated with an AgilePoint Server instance.
- Default Value:
- AgilePointServerInstance
Data Services
- Function:
- AgilePoint Data Services.
- Default Value:
- AgilePointDataServices
W3SVC
- Function:
- Controls the HTTP protocol and HTTP performance counters for IIS.
- Default Value:
- W3SVC
How to Start
- On your AgilePoint Server machine, right-click Start, and then click Command Prompt (Admin).
- Change directories to the location of the subinacl.exe tool:
cd C:\Program Files (x86)\Windows Resource Kits\Tools\
Procedure
- To give permissions to a non-administrator user account to manage the Windows services, run these commands:
Format:
subinacl /SERVICE \\[MachineName]\[WindowsServiceName] /GRANT=[domain name]\[AgilePoint Service Account user name]=F
The domain name is only necessary if your AgilePoint Service Account belongs to an Active Directory domain.
Example:
subinacl /SERVICE \\DESKTOP-0IBDKT5\AgilePointServerInstance /GRANT= MYDOMAIN\AgilePointAdmin=F
subinacl /SERVICE \\DESKTOP-0IBDKT5\AgilePointDataServices /GRANT=MYDOMAIN\AgilePointAdmin=F
subinacl /SERVICE \\DESKTOP-0IBDKT5\W3SVC /GRANT= MYDOMAIN\AgilePointAdmin=F
- Sign off the AgilePoint Server machine as the Windows administrator.
- Sign in to the AgilePoint Server machine with the AgilePoint Service Account.
- Start these Windows services:
- AgilePoint Server instance
- AgilePoint data services
- W3SVC
- To test, do this procedure:
- Make sure that there are no errors in the event logs related to the AgilePoint services.
For more information, refer to Where Are the AgilePoint NX OnPremises Logs?.
- Sign in to AgilePoint NX Portal, and make sure that all the modules operate correctly.
- Make sure that there are no errors in the event logs related to the AgilePoint services.
Add the AgilePoint Service Account to the Windows Administrators Group on the AgilePoint Server Machine
To add the AgilePoint Service Account to the Windows Administrators group on the AgilePoint Server machine, do the procedure in this topic.
Prerequisites
- Delete the AgilePoint Service Account from the Windows Administrators Group on the AgilePoint Server Machine.
- Sign in to the AgilePoint Server machine as an administrator.
Good to Know
- For security reasons, some organizations want to delete the AgilePoint Service Account from the Windows Administrators group. But when you upgrade AgilePoint NX, including Software Updates and Hotfixes, the AgilePoint Service Account must be a member of the Administrators group.
How to Start
- On your AgilePoint Server machine, right-click Start, and then click Computer Management.
Procedure
- Add the AgilePoint Service Account to the Windows group, Administrators.