6.2.22 Settings for executing jobs as a user with administrator permissions when the UAC is enabled

When the Windows UAC function is enabled, all OS users who belong to the Administrator group, with the exception of the built-in Administrator, execute operations with the Administrator permissions disabled. In JP1/AJS3, however, jobs that require administrator permissions^# might not be executable.

#: These jobs include PC jobs, action jobs, custom jobs, and QUEUE jobs that are executed in Windows versions of JP1/AJS3. Also included are submit jobs executed by the jpqjobsub command.

One example of a job that requires administrator permissions is starting a service by using the net start command. When the UAC function is enabled, jobs that require administrator permissions can be executed by the built-in Administrator and an OS user whose account is the same as the JP1/AJS3 service account.

Enabling the settings for executing jobs as a user with administrator permissions when the UAC is enabled allows OS users in the Administrator group to execute jobs that require administrator permissions even when the UAC function is enabled.

The following table describes the relationship between the type of OS user when a job is executed and whether the job can be executed when the UAC function is enabled.

Table 6‒41: Relationship between type of OS user when a job is executed and whether the job can be executed when the UAC function is enabled
Job execution service	OS user type when the job is executed			Whether a job that requires administrator permissions can be executed
Job execution service	OS user type when the job is executed			Setting disabled (default)	Setting enabled
Standard specified	OS user who is a member of the Administrator group	Built-in Administrator		Y	Y
		User other than the built-in Administrator	OS user who is the same as the service account's OS user	Y	Y
		User other than the built-in Administrator	OS user who is different from the service account's OS user	N	Y
	OS user who is not a member of the Administrator group			N	N
Queueless Agent specified	OS user who is a member of the Administrator group	Built-in Administrator		Y	Y
		User other than the built-in Administrator	OS user who is the same as the service account's OS user	N	Y
		User other than the built-in Administrator	OS user who is different from the service account's OS user	N	Y
	OS user who is not a member of the Administrator group			N	N

Legend:

Y: Can be executed.

N: Cannot be executed.

Cautionary note:

To enable the setting, first check all OS users who have been registered on the execution host by the JP1/Base user mapping function, and who execute jobs. Next, set the Log on as a batch job permission in the security policy settings for these OS users. If an OS user without this permission attempts to execute a job, even when the job does not require administrator permissions, job startup will fail and the KAVU7201-E or KAVS1880-E message is output.

When the Deny logon as a batch job permission has been set, an attempt to start the job also fails and the KAVU7201-E or KAVS1880-E message is output.

Use the following procedure to enable the setting.

Note that the setting must be enabled on the host on which the jobs will be executed.

Organization of this subsection

(1) Definition procedure
(2) Environment setting parameter

(1) Definition procedure

In Windows Control Panel, open the Local Security Policy administrative tool, and then set the Log on as a batch job permission for all OS users who execute jobs.

For domain users, you can also set the permission in the domain security policy settings. Also make sure that the Deny logon as a batch job permission has not been set.
In Windows Control Panel, open the Services administrative tool, and stop the following service:
- When Standard is specified as Exec. Service of the job
  
  JP1/AJS3 service
- When Queueless Agent is specified as Exec. Service of the job
  
  JP1/AJS3 Queueless Agent service
Cautionary note:

In a cluster system, check the cluster settings, and also stop the JP1/AJS3 service on each logical host.
Execute the following command to set the environment setting parameter described in (2) below:
```
jajs_config -k definition-key "parameter-name"=value
```
You can specify only one definition key. If you want to set environment setting parameters for different definition keys, you must execute the jajs_config command for each definition key.
Restart the services that you stopped in step 2.

The contents of the configuration file are applied to the system.

To Page Top

(2) Environment setting parameter

Table 6‒42: Environment setting parameter used to execute jobs as a user with administrator permissions when the UAC function is enabled
Definition key	Environment setting parameter	Explanation
`[{JP1_DEFAULT\|logical-host}\JP1NBQAGENT\Job]`^#1	`"UACAdministratorsExec"=`	Setting for executing a job as a user with administrator permissions when Standard is specified for the job execution service and the UAC function is enabled
`[JP1_DEFAULT\JP1QLAGENT]`^#2	`"UACAdministratorsExec"=`	Setting for executing a job as a user with administrator permissions when Queueless Agent is specified for the job execution service and the UAC function is enabled

#1:: The specification of the {JP1_DEFAULT|logical-host} part depends on whether the host is a physical host or a logical host. For a physical host, specify JP1_DEFAULT. For a logical host, specify the logical host name.
#2:: This setting applies to both physical and logical hosts.

For details about the definition of these environment setting parameters, see the following:

To Page Top