Service Environment and Security

When you install SmartBatch the Service capability is installed so that the Executive Server, Notification Server and Remote Agents have the ability to interact with the desktop under system account. The product is installed this way to make the initial setup simpler and provide a way to see scheduled activity. The user will actually see windows that are displayed when their applications are run. However, in a production environment, you may want to change the SmartBatch service so that it does not interact with the desktop and runs under a specific account.  This specific Windows account must have access to the necessary resources to process your Operations.  

Recommend Service Security Configuration

Configure the SmartBatch Executive Service and SmartBatch Remote Agent Service to run under a specific account that has access to the resources required for all or most of your Operations needs.  If some Operations require a different Windows account specify the User ID and Password on the Operation Properties window.  Do not use the Interact with desktop option in production environments.  Make sure the Windows account's (User ID) specified password does not expire.  If the password expires, the Operation will fail to run.

Account Considerations

You need to consider the following when configuring the service using the Services Applet in the Control Panel:

Log On As: System Account

This can be set to System Account or This Account. System Account is a special built-in Windows account. It has the capability to manage objects on the local system that are not specifically secured. By default, System Account does not have the ability to manage objects on other systems including the domain server. System Account provides the ability to specify Allow Service to Interact with Desktop. This means that processes started by the Executive Server will be visible on the logged on desktop.

Log On As:  This Account

This Account specifies a specific Windows account that the services will use to log on. Notice that you do not have the ability to specify Allow Service to Interact with Desktop. This makes sure the logged on user does not get access to a program started under a different account.  

SmartBatch provides a way to display the program to the logged on desktop.  This must be configured on the Operation Properties window by specifying the As User and As Password and Interact with desktop option.

Warning!

The Interact with desktop option is provided primarily for testing purposes. If a user logs off the desktop that has processes started by the SmartBatch Executive Service, these processes may be stopped by the Windows logoff processing. In addition, you must consider who might be logged on to the computer and if the logged on user should be allowed access to this processing.
  

Items to Consider When Setting Interact With Desktop:

Anyone using the computer may become confused when windows start appearing from scheduled activity.

When someone logs off the computer any activity started by the SmartBatch Executive Server that displays on the desktop, will be stopped by Windows logoff processing.

Not allowing schedule activity to interfere with the desktop provides a more robust unattended processing solution.

The logged on user will have access to any program that displays to the desktop.

The Executive and Notification servers will run continuously regardless of the setting for Allow Service to Interact with Desktop. Your programs must ignore the shutdown processing that occurs when a user logs off the computer. Otherwise, they will stop processing which is probably not the desired result.

To turn off Allow Service to Interact with Desktop:

1.On the Control Panel, double-click on the Services Applet,

2.Double-click on SmartBatch Service, making sure the Allow Service to Interact with Desktop checkbox is unchecked.  In addition make sure the Interact checkbox is not selected on the Operation Properties window.

Log On As System Account or This Account (that is, a specific User ID)

SmartBatch is initially installed with the System Account and Interact With Desktop as the service settings. There are security implications with this setting and services in general that are important to understand. You should refer to the following Microsoft knowledge base articles for more information:

Q152451 - Applications Run from the Schedule Service Fail to Print.

Q124184 - Service Running as System Account Fails Accessing Network.

About System Account

System Account has "null credentials". This means that when it goes to access a secured resource, access to that resource will be denied by default. For example, file access to another Windows computer will be denied unless access has been specifically granted to SYSTEM (refer to the knowledge based articles above for more information/possibilities on this). Access to a file stored on a Novel server will fail unless guest access is allowed. Also, since this is not a User ID in Windows has no user profile so access to Registry information will not occur. Another item to consider is UNC (universal naming convention) naming. Since UNC names are resolved by the domain and System Account does not have access to the domain, UNC names cannot be resolved.

If you use many Accounts in your processing you can specify the As User on the Operation Properties window to start an Operation under a specific Account. This also allows you to set the Interact with desktop capability not provided by using Control Panel. This should be used with caution as described in the warning under This Account.

Batch Versus Interactive Logon -- Accessing Network Files

A Service provides a batch logon as opposed to an Interactive logon. An interactive logon provides additional capability such as mapped drives. If you require the use of network drives, there are two methods you can you to obtain access:

1.This first and recommended method  is to use the universal naming convention (UNC naming) when referring to files or directories. To use UNC naming, the SmartBatch Service and Remote Agent service should be configured under a Specific Account so that all processing will have access to the necessary shares.

2.The second method uses drive letters (for example, f:), they must be mapped in an Operation before they are used. To do this use the NET USE capability. This can be placed in a .bat file and executed via an Operation or can be placed directly in an Operation. See Network Drive Mappings and NET USE for more detailed information.

Environment Variables

Another difference under the use of the SmartBatch service is in the use of environment variables as set up with the Control Panel System applet. User environment variables are not available to Operations started through SmartBatch unless the Operation explicitly loads them. You must use system environment variables if you do not want to load your own user variables.