Yes, the Performance Sentry collection service can impersonate a User Account to gain access to secure network resources.
By design, the Performance Sentry Collection Service (dmperfss.exe) is installed to run under the built-in LocalSystem (SYSTEM) account. This built-in account, which most services use, has the authority to perform almost any internal function on the local machine. However, the LocalSystem account has no built-in facilities to access secure network resources, such as shared network folders.
The Performance Sentry Collection Service performs two sets of functions where security considerations may apply:
- Control the Performance Sentry data and log files in the data Folder. You can normally tell that the NTSMF data Folder is protected from uncontrolled access by the LocalSystem account if the service terminates prematurely at start-up and no <computername>.ntsmf.logfile is generated in the NTSMF data Folder.
- Execute the Cycle End command or command script. The Cycle End command or command script runs in a separate process that inherits its Authority from the Performance Sentry service process that creates it. If the Cycle End command or command script fails to complete successfully, but works fine when you execute it under your Logon Account, your Logon Account probably has Folder Permissions that are not granted to the LocalSystem account.
There are two ways to authorize the collection service to perform these secure functions:
- If you have implemented Active Directory, it is possible to grant the LocalSystem (or SYSTEM) Account the Folder Permissions required to access secured network resources. The LocalSystem Account corresponds to the named Computer in Active Directory. However, some installations prefer not to grant the LocalSystem (or SYSTEM) Account any Folder Permissions.
- You may assign a User Account with access to the appropriate network resources that the collection service will impersonate whenever it performs one of the two secured functions discussed above.
Impersonation allows the collection service to adopt temporarily a different security identifier (SID) than the the one specified when the service is started. You assign the User Account and Password that the collection service will impersonate when you install the collection service. The User Account you assign will be used whenever the collection services performs any function that might need to done under a security context other than LocalSystem (or SYSTEM). If you assign a User Account and Password during installation of the collection service, the collection service will impersonate that User
Account when it launches the Cycle End command. This allows the Cycle End command or script to execute under a User Account that is authorized to perform network file operations on a secure shared folder. In addition, if the NTSMF data Folder is protected from uncontrolled access by the LocalSystem account, you may need to assign Performance Sentry a User Account to impersonate when it performs any function that accesses the data Folder.
You assign the User Account to be impersonated during the Performance Sentry Collection Service installation using the -account and -password options, as illustrated below:
dmperfss -install -f MyDCS.dcs -account DomainNamemyAccount -password xxxxxxx
You may also assign the User Account by using the automation interface command dmcmd.exe found in the root NTSMF folder:
dmcmd.exe -account DomainNamemyAccount -password xxxxxxx
For more details, see Chapter 2 of the User’s Manual.
[…] Performance Sentry collection service under a User Account by following the guidelines discussed here and here. All collection service functions will execute normally, once you grant the User Account […]