Operations Sentinel client applications access management data using network shares on the server. See Figure 1–4. For an Operations Sentinel client application to access the data on an Operations Sentinel server, Windows User Security must grant the workstation user account access to the Operations Sentinel server. If the server and workstation reside in the same domain or in mutually trusted domains, no user administration is necessary. However, if the server and the workstation are in nontrusted domains, the workstation user account must have a shadow account (a Windows user account with the same user-id and password) on the Operations Sentinel server.
Notes:
All files and folders that Operations Sentinel creates during installation and execution in its installation, data, and log folders are accessible only by user accounts that are members of the local user group SPO Users or SPO Administrators on the Operations Sentinel server.
Network shares for the installation, data, and log folders on the Operations Sentinel server are named SPOPROGRAMx.y.z, SPODATAx.y.z, and SPOLOGx.y.z respectively, where x.y.z is the level of the Operations Sentinel software. Network shares are available only to user accounts in the SPO Users or SPO Administrators local user group on the server.
Troubleshooting
Consider a scenario where user is belonging to the “SPO Users” or "SPO Administrators" group tries to access a remote Operations Sentinel Server from an Operation Sentinel workstation. There is a possibility of user getting an error stating “User is not a member of SPO Users or SPO Administrators”. The reason for this error is that some of the Microsoft Windows Operating System versions do not allow remote calls to the Security Accounts Manager (SAM) by default.
The following Windows OS versions do not allow remote calls to the Security Accounts Manager (SAM) unless the Local Security Policy of the system is configured:
Windows 8.1 with KB 4102219 installed
Windows 10, version 1507 with KB 4012606 installed
Windows 10, version 1511 with KB 4103198 installed
Windows 10, version 1607 and later
Windows Server 2012 with KB 4012220 installed
Windows Server 2012 R2 with KB 4012219 installed
Windows Server 2016
Windows Server 2019
Perform the following steps to configure the Local Security Policy of Operations Sentinel Server machine:
Open Local Security Policy, accessible from the Administrative Tools folder in the Control Panel.
From the Tree view, expand Local Policies and select Security Options. Overview of Operations Sentinel Security.
Select Network access: Restrict clients allowed to make remote calls to SAM.
Right-click and select Properties to edit the security settings of the policy.
Click Edit Security... and add “SPO Users” and “SPO Administrators” group.
Click OK, then click Apply.
Changes are successfully applied to the Security Setting of the policy.
Open command prompt, and enter the following command:
gpupdate /force
Notes:
All the changes made will only take effect when the gpupdate /force command is run from the command prompt.
The Group Policy setting is only available on systems running Windows Server 2016 or Windows 10, version 1607 and later.
On systems that run earlier versions of Windows, you need to edit the registry setting directly or use the Group Policy Preferences.
Refer to the Microsoft documentation for more information on “Network access: Restrict clients allowed to make remote calls to SAM” security policy.