Permissions and rights required by the Veritas Cluster Server Helper, or HADHelper, service for Veritas InfoScale for Windows

SECTION 1 - Required Permissions

The user account used by the HADHelper service must have permissions equivalent to the following:

1. Local Administrator for each node
2. Domain User

Note: It is sufficient if the account is a member of the Domain Users group if Domain Users group is itself a member of the Local Administrators group on each node.

SECTION 2 - Required Rights

The account used by the HADHelper service must have the following rights:

1. Act as part of the operating system
2. Back up files and directories
3. Adjust memory quotas for a process
4. Increase scheduling priority
5. Restore files and directories
6. Log on as a service
7. Add workstations to Domain (this is available by default to all Authenticated Users)

The command below can be used to view the rights granted to the HADHelper account:

hadhelper /showconfig

This command will return the list of rights required and mark each right with a star (*) to indicate the right is assigned.  Any missing rights will be displayed at the end of the output.

 

The hadhelper /showconfig command uses a Microsoft internal Application Programming Interface (API) function called "LsaEnumerateAccountRights". It does not display the privileges inherited by Group Membership.

Use the following command to automatically assign the required rights to the HADHelper account and restart the HADHelper service:

hadhelper /configure /user:<user_name> [/password:<password>]

The command will prompt for the password if the " [/password:<password>]" switch is not used.  Restart of the HADHelper service will not cause any cluster outage.

Note: The command does not check or add the "Add workstations to Domain" right. In addition, it does not check group memberships.