We use cookies to ensure that we give you the best experience on our website.  Visit our Privacy Policy to learn more. If you continue to use this site, we will assume that you are okay with it.

Your choices regarding cookies on this site.
Your preferences have been updated.
In order for the changes to take effect completely please clear your browser cookies and cache. Then reload the page.

Werk #10677: Windows plugins and local checks can be called using non-system account

ComponentChecks & Agents
TitleWindows plugins and local checks can be called using non-system account
Date2020-01-09 09:50:22
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version2.0.0i1
LevelProminent Change
ClassNew Feature
CompatibilityCompatible - no manual interaction needed

Previously the plugins and local check were always called using Windows System account. Such approach could restrict access to some resources, for example, network shares. Now this problem has been resolved.

The new ruleset in Bakery Run plugins and local checks using non-system account gives the possibility to run any Windows script using a given user account.

There are two modes of the rule:

group mode, in this case Windows Agent provides its own internal user in the requested group to run a script.

user mode, in this case the credentials for the given user account must be fully specified.

The group mode is more secure, because no credentials need to be stored anywhere, except in the agent internally. When using the user mode, the provided credentials are stored on all Checkmk servers to which the configuration is applied. Also, the credentials will be baked into the distributed to target systems agent bakery packages(MSI files).

The same functionality in Raw Edition can be achieved using Agent configuration file.

To set group mode for desired plugin pattern you should assign the name of the local group to the key group. To set user mode for desired plugin pattern you should assign string with user name and password separated with one space to the key user. Detailed example you may found in the provided configuration file.

We highly recommend using the group mode whenever possible.