Note: Please see the Troubleshooting Guide for BladeLogicRSCD user lockout issues for more details on troubleshooting BladelogicRSCD account lockouts.
1. The "BladeLogicRSCD" user is created as part of the Windows RSCD Agent install. At install time a random password is generated for this user account.
The default password of BladeLogicRSCD user is random since 8.1.00 (16 alpha-numeric and special characters)
Please refer below for more details related to the TSSA user accounts:
User and accounts
2. BladeLogicRSCD account password uses CryptProtectData function
3. The password is stored in the registry under "\HKEY_LOCAL_MACHINE\SAM\SAM\BladeLogic\Operations Manager\RSCD". The password is encrypted and stored in the S and E values.
Refer BladeLogicRSCDDC Password update
4. Yes, the process for the RSCD agent will be running on the domain controller as 'BladeLogicRSCDDC' account.
The process of RSCD agent on non-domain controller will be using 'BladeLogicRSCD' account.
5. The password is randomly generated upon installation of the RSCD agent and it will remain unchanged, unless it is updated manually
6. There is no minimum characters that is required by the password but can be of 60 characters maximum.
By default the password would contain 16 alphanumeric and special characters.
7. No. The password is stored in the registry using the CryptProtectData function.
8. No. BladeLogicRSCD user gets created on Windows Servers only. The BladeLogicRSCD user is created on Windows in order for the agent to obtain local privileges on the target server. Whenever a connection is made to a target agent, first mapping is done to this user before reading exports, users, users.local. The agent uses a technique called user privilege mapping, which allows the agent to temporarily grant the local user's group privileges to an unprivileged user account called BladeLogicRSCD. This privilege mapping mechanism allows the agent to acquire the mapped local user's group privileges without having to access that user's Windows credentials (user name and password
9. BladeLogic RSCD agents only perform actions when instructed to by an application server. There is no periodic polling and agents do not initiate connections back to the application server
10. When the BladeLogicRSCD user is created, below privileges are granted to it in the local policy:
When BSA tries to impersonate as a user, following privilege is also added to the policy:
11. The password of BladeLogicRSCD can be reset. Use 'chapw -r' command for the password change to use a randomly generated password.
Write 'chapw' and hit enter for the complete usage.
For password change on a domain controller, refer -
BladeLogicRSCDDC Password update
12. The rscd agent runs under the "Local System" account. For the impersonation to occur the rscd agent will "logon" as the BladeLogicRSCD user. Then window api calls are made which apply the appropriate permissions associated with the user it is mapped to. This allows commands to be executed with the permissions and rights 'mapped to' user. However, the underlying running user is still the "Local System" account which doesn't have access to network resources. That "Local System" user cannot connect to remote windows shares.
13. No, the password expiration policy cannot be set for the BladeLogicRSCD user. When a connection is made to the RSCD agent, if the password is set to expire, the setting is reset back to never expire for the BladeLogicRSCD user. If the password expires then the RSCD agent would not be useable and require manual interaction to fix.
14. To change the password on multiple target server, create NSH script on BSA/TSSA console to run below command and then execute this script on multiple target servers to update password
chapw -r <Target server name>