Add or Remove the AgilePoint Service Account in Your Windows Administrators Group

To manage the AgilePoint Service Account in the Windows Administrators group on your AgilePoint Server machine, do the procedures in this topic.

Prerequisites

Good to Know

  • When the AgilePoint Server is installed, the AgilePoint Service Account is added to these groups:
    • Administrator
    • Performance Monitor Users
    • IIS_IUSRS
    • adHocAdmin

    The adHocAdmin group is required for Report Center.

    For information about the various AgilePoint NX administrator accounts and administrator roles, refer to Administrator Types and Permission Groups.

  • For security reasons, some organizations want to delete the AgilePoint Service Account from the Windows Administrators group. The AgilePoint Service Account must be a member of the Administrators group during installation and upgrade. However, you can delete the AgilePoint Service Account from this group during normal operations.
  • The AgilePoint Service Account must be a member of all other required Windows groups during normal operations.

Delete the AgilePoint Service Account from the Windows Administrators Group on the AgilePoint Server Machine

To delete the AgilePoint Service Account from the Windows Administrators group on the AgilePoint Server machine, do the procedure in this topic.

How to Start

  1. On your AgilePoint Server machine, click Start, and type Run.
  2. Click Run.
  3. On the Run screen, in the Open field, enter services.msc.
  4. Click OK.

Procedure

  1. Stop these Windows services:
    Windows Service Description

    Data Services

    Function:
    AgilePoint Data Services.
    Default Value:
    AgilePointDataServices

    AgilePoint Server Instance

    Function:
    The Windows service associated with an AgilePoint Server instance.
    Default Value:
    AgilePointServerInstance

    W3SVC

    Function:
    Controls the HTTP protocol and HTTP performance counters for IIS.
    Default Value:
    W3SVC
  2. Delete the AgilePoint Service Account from the Windows group, Administrators.
  3. Add the AgilePoint Service Account to the Windows group, Event Log Readers.

Give Windows Registry and Event Log Access to the AgilePoint Service Account

To give Windows Registry access permission to the AgilePoint Service Account, do the procedure in this topic.

Good to Know

Prerequisites

How to Start

  1. On your AgilePoint Server machine, click Start, and type Run.
  2. Click Run.
  3. In the Open field, enter regedit.
  4. Click OK.

Procedure

  1. Right-click each of the following registry nodes to add the AgilePoint Service Account. Set the Permissions to Full Control:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

    HKEY_LOCAL_MACHINE\SOFTWARE\Ascentn

Give AgilePoint File System Access Permission to the AgilePoint Service Account

To give the AgilePoint file system access to the AgilePoint Service Account, do the procedure in this topic.

Good to Know

Prerequisites

How to Start

  1. On your AgilePoint Server machine, go to the (NX Portal installation folder) C:\Program Files\AgilePoint\AgilePointWebApplication\AgilePointPortal.

Procedure

  1. Right-click the AgilePoint folder, and click Properties.
  2. On the AgilePoint Properties screen, on the Security tab, click Edit.
  3. On the Permissions for AgilePoint screen, on the Security tab, add AgilePoint Service Account.
  4. Set the Permissions to Full Control.

Bind the AgilePoint Service Account to the AgilePoint Server Ports

To bind the AgilePoint Service Account to the AgilePoint Server ports, do the procedure in this topic.

Good to Know

Prerequisites

How to Start

  1. On your AgilePoint Server machine, right-click Start, and then click Command Prompt (Admin).

Procedure

  1. In the command prompt, run one of these groups of commands:

    The domain name is only necessary if your AgilePoint Service Account belongs to an Active Directory domain.

    • If AgilePoint Server uses SSL:
      • BasicHttp

        Format:

        netsh http add urlacl url=http://+:[BasicHttp port]/ user=[domain name]\[AgilePoint Service Account user name]

        Example:

        netsh http add urlacl url=http://+:13489/ user=MYDOMAIN\APServiceAdmin

      • WSHttp port

        Format:

        netsh http add urlacl url=http://+:[WSHttp port]/ user=[domain name]\[AgilePoint Service Account user name]

        Example:

        netsh http add urlacl url=http://+:13487/ user=MYDOMAIN\APServiceAdmin

      • TCP port

        Format:

        netsh http add urlacl url=http://+:[TCP port]/ user=[domain name]\[AgilePoint Service Account user name]

        Example:

        netsh http add urlacl url=http://+:13488/ user=MYDOMAIN\APServiceAdmin

      • WebHttp (Rest) port

        Format:

        netsh http add urlacl url=http://+:[WebHttp port]/ user=[domain name]\[AgilePoint Service Account user name]

        Example:

        netsh http add urlacl url=http://+:13490/ user=MYDOMAIN\APServiceAdmin

    • If AgilePoint Server does not use SSL:
      • BasicHttp

        Format:

        netsh http add urlacl url=http://+:[BasicHttp port]/user=[domain name]\[AgilePoint Service Account user name]

        Example:

        netsh http add urlacl url=http://+:13489/user=MYDOMAIN\APServiceAdmin

      • WSHttp port

        Format:

        netsh http add urlacl url=https://+:[WSHttp port]/ user=[domain name]\[AgilePoint Service Account user name]

        Example:

        netsh http add urlacl url=https://+:13487/ user=MYDOMAIN\APServiceAdmin

      • TCP port

        Format:

        netsh http add urlacl url=https://+:[TCP port]/ user=[domain name]\[AgilePoint Service Account user name]

        Example:

        netsh http add urlacl url=https://+:13488/ user=MYDOMAIN\APServiceAdmin

      • WebHttp (Rest) port

        Format:

        netsh http add urlacl url=https://+:[WebHttp port]/ user=[domain name]\[AgilePoint Service Account user name]

        Example:

        netsh http add urlacl url=https://+:13490/ user=MYDOMAIN\APServiceAdmin

Give Access to the AgilePoint Service Account to Start and Stop Windows Services

To give access to the AgilePoint Service Account to start and stop the AgilePoint Windows Services without being a Windows administrator, do the procedure in this topic.

Prerequisites

Good to Know

  • If there is more than one AgilePoint server instance, do this procedure for each AgilePoint server instance.

    To get the names of your AgilePoint server instances, refer to AgilePoint Server Manager.

  • You must complete this procedure for these Windows services:
    Windows Service Description

    AgilePoint Server Instance

    Function:
    The Windows service associated with an AgilePoint Server instance.
    Default Value:
    AgilePointServerInstance

    Data Services

    Function:
    AgilePoint Data Services.
    Default Value:
    AgilePointDataServices

    W3SVC

    Function:
    Controls the HTTP protocol and HTTP performance counters for IIS.
    Default Value:
    W3SVC

How to Start

  1. On your AgilePoint Server machine, right-click Start, and then click Command Prompt (Admin).
  2. Change directories to the location of the subinacl.exe tool:

    cd C:\Program Files (x86)\Windows Resource Kits\Tools\

Procedure

  1. To give permissions to a non-administrator user account to manage the Windows services, run these commands:

    Format:

    subinacl /SERVICE \\[MachineName]\[WindowsServiceName] /GRANT=[domain name]\[AgilePoint Service Account user name]=F

    The domain name is only necessary if your AgilePoint Service Account belongs to an Active Directory domain.

    Example:

    subinacl /SERVICE \\DESKTOP-0IBDKT5\AgilePointServerInstance /GRANT= MYDOMAIN\AgilePointAdmin=F

    subinacl /SERVICE \\DESKTOP-0IBDKT5\AgilePointDataServices /GRANT=MYDOMAIN\AgilePointAdmin=F

    subinacl /SERVICE \\DESKTOP-0IBDKT5\W3SVC /GRANT= MYDOMAIN\AgilePointAdmin=F

  2. Sign off the AgilePoint Server machine as the Windows administrator.
  3. Sign in to the AgilePoint Server machine with the AgilePoint Service Account.
  4. Start these Windows services:
    • AgilePoint Server instance
    • AgilePoint data services
    • W3SVC
  5. To test, do this procedure:
    1. Make sure that there are no errors in the event logs related to the AgilePoint services.

      For more information, refer to Where Are the AgilePoint NX OnPremises Logs?.

    2. Sign in to AgilePoint NX Portal, and make sure that all the modules operate correctly.

Add the AgilePoint Service Account to the Windows Administrators Group on the AgilePoint Server Machine

To add the AgilePoint Service Account to the Windows Administrators group on the AgilePoint Server machine, do the procedure in this topic.

Prerequisites

Good to Know

  • For security reasons, some organizations want to delete the AgilePoint Service Account from the Windows Administrators group. But when you upgrade AgilePoint NX, including Software Updates and Hotfixes, the AgilePoint Service Account must be a member of the Administrators group.

How to Start

  1. On your AgilePoint Server machine, right-click Start, and then click Computer Management.

Procedure

  1. Add the AgilePoint Service Account to the Windows group, Administrators.