Hitachi

JP1 Version 11 JP1/Script Description and Reference (For Windows Systems)


2.9 Setting users permitted to remotely execute the NetExec command

To set the users permitted to remotely execute the NetExec command:

  1. Select the users you want to permit to remotely execute the NetExec command.

    Select the users for each space (service space or logon space) in which executable files called by the NetExec command are executed.

  2. Create a folder in which the NetExec command restriction policy files will be stored.

    Create a Conf folder in the JP1/Script installation folder.

  3. Create the NetExec command restriction policy files.

    Create the following files for each space (service space and logon space) in which executable files called by the NetExec command are executed.

    • For the service space, create the SPTHSV_ACP file.

    • For the logon space, create the SPTHLSV_ACP file.

  4. Place the created NetExec command restriction policy files in the JP1/Script-installation-folder\Conf folder.

    Place the SPTHSV_ACP file and SPTHLSV_ACP file you created in step 3 in the JP1/Script-installation-folder\Conf folder.

  5. In the NetExec command restriction policy file, set the users permitted to remotely execute the NetExec command.

    Perform the following procedure:

    1. Right-click the NetExec command restriction policy file to open the menu, and then select Properties.

    The Properties dialog box opens.

    2. On the Security page, click the Add button, and then select users you want to permit to remotely execute the NetExec command.

    In the Select Users or Groups dialog box that opens, select the users you want to permit to remotely execute the NetExec command.

    3. On the Security page, select the users you added, and then specify the following information for Permissions:

    - Read: Permitted

    - Write: Permitted

    4. Make sure that unnecessary users are not set.

    Delete any unnecessary users.

  6. In the NetExec command restriction policy file, set the file management user.

    Perform the following procedure:

    1. Right-click the NetExec command restriction policy file to open the menu, and then select Properties.

    The Properties dialog box opens.

    2. On the Security page, click the Add button, and then select the file management user.

    In the Select Users or Groups dialog box that opens, select the file management user.

    3. On the Security page, select the user you added, and then specify the following information for Permissions:

    Full control: Permitted

  7. In the NetExec command restriction policy file, set the logon accounts for the JP1/Script service and Script Launcher service.

    To set the user who starts the JP1/Script service, perform the procedure below for the SPTHSV_ACP file. To set user who starts the Script Launcher service, perform the following procedure for the SPTHLSV_ACP file.

    1. Right-click the NetExec command restriction policy file to open the menu, and then select Properties.

    The Properties dialog box opens.

    2. On the Security page, click the Add button, and then select the logon account for either the JP1/Script service or the Script Launcher service.

    In the Select Users or Groups dialog box that opens, select the user who starts the service.

    3. On the Security page, select the user you added, and then specify the following information for Permissions:

    - Read: Permitted

    - Write: Permitted

  8. In the folder that contains the NetExec command restriction policy file, set the logon accounts for the JP1/Script service and the Script Launcher service.

    Perform the following procedure:

    1. Right-click the Conf folder to open the menu, and then select Properties.

    The Properties dialog box opens.

    2. On the Security page, click the Add button, and then select the logon account for either the JP1/Script service or the Script Launcher service.

    In the Select Users or Groups dialog box that opens, select the logon account for each service.

    3. On the Security page, select the users you added, and then specify the following information for Permissions:

    - Read and execution: Permitted

    - Folder contents listing: Permitted

    - Read: Permitted

    4. Make sure that unnecessary users are not set.

    Delete any unnecessary users.

  9. Stop the JP1/Script service and Script Launcher service.

  10. Start the JP1/Script service and Script Launcher service.

    Make sure that the following messages are output to the event log.

    For the JP1/Script service:

    Starting the NetExec thread (NetExec command execution users restricted) of the JP1/Script service.

    For the Script Launcher service:

    Starting the NetExec thread (NetExec command execution users restricted) of the Script Launcher service.

Important note

After you change the users permitted to remotely execute the NetExec command, restart the JP1/Script service or the Script Launcher service. In addition, when the permission is set for a group in the NetExec command restriction policy file, if you add or delete users or groups belonging to the permitted group, the added or deleted users or groups might not be properly granted or denied permission after the JP1/Script service or Script Launcher service restarts. If this happens, restart Windows.