this should be moved to the server admin forum. In any case, the way that we have setup our distributed cluster is that our runas admin is a generic app service account within Active Directory. And this service account is setup as admin on the windows box and an admin defined within Tableau server.
Oh, and you start / stop the svc with tabadmin, not tabcmd. I think this is what you meant anyways.
Thanks for the quick response. Yes, we are using start/ stop using tabadmin. This is not just with tabadmin CLI, it also happens even with the start/ stop/ configure from All Programs using this service account. Ours is also a generic app service account with active directory, but the only difference is it does NOT have admin on the windows box. Corp security does not allow that. Yes, this service account has the server administrator role on the tableau server. Any other thoughts? Thank you so much!!
Can you confirm that your new Run As User is an Administrator on every host in the cluster?
1. Make sure that the user that you are trying to run the tabadmin command with has admin rights within Tableau server.
2. You can try this, not quite sure of the net effect, but it's helped me before. Go into windows explorer and add the admin account(s) to the E:\Tableau directory with full control and cascade down to children directories.
No, the "Run as" service account is NOT an admin on any box (including the primary). That is the problem. As soon as I make it admin, it works, but the Corp security does not allow this account to have admin rights on the windows box.
Does this mean, the Run as service account CANNOT start/ stop tableau server without having the admin rights on the Tableau server? I know it works with admin rights for that service account as I tried that already, but the Corp security does not allow that. If that is the only way, then may be I will have to go back to them and work with them. But my understanding is the service account does not need admin rights on the box. Is that not true?
I already gave full control to the E:/Program files/Tableau directory and cascade down to all children and it did not help.
Well then you have a big problem, because the Tableau Server Run As User must be an Administrator on its host(s), or Tableau Server cannot run successfully. It's just that simple.
It seems that you'll have to work with Corp Security to come up with a User Account that they can accept.
Yep. Admin rights seem to be the only viable option. Work with corp security as ken advised.
Hey Ken, I thought that too for a long while, as someone had told me as much--but actually, that is not the case. The Run-As user needs specific rights set up, but it does not require full Admin access on the hosts that Tableau Server is running on. This is the start of several pages that describe in detail what it needs (Sandeep linked it above, but I'm re-linking for convenience):
That said, I don't know why you would be having that issue, Sandeep Moola. I recommend going through Support--they can walk you through this step by step to get things working.
*deleted and re-added since I'd put it under the wrong account...
Yes I know that document (I have my Server 8 Professional cert) but this is a case of the practical trumping the theoretical. Theoretically if all the criteria are met then the Run As User does not have to be an Admininstrator, but as a practical matter (a) things can still break, like Permissions to append to log files and (b) it's usually faster / easier to just get an Administrator account than to walk a big honkin' checklist and get it all right.
There is a bit of pain-to-gain ratio to consider. Not having Administrator rights for the Run As User is an awful lot of pain, for relatively little gain.
Gotcha, thanks Ken. I definitely agree that it makes things a lot easier--we ran under that model for a long time, and only recently switched our run-as account to a non-admin. I just wanted to clarify that Admin rights are not officially required by Tableau to run Server, and that Sandeep doesn't necessarily need to go back to IT and ask for a policy exception because of this error.
Hopefully Sandeep can tell us -- after he's worked with Support -- if the privileges for Run As User were relevant to the problem or not. We are inferring / guessing so based solely on the notion that the problem began when the Run As User was replaced...
This will be a good learning experience for all of us.
It looks like in some instances changes may need to be made to the registry keys of the machine in order to fully disable this UAC program. Because UAC is a part of the Window's operating system, Tableau Technical Support is not able to offer any additional assistance in configuration of the Tableau Server Machine.
Did anyone make any registry key changes to completely disable UAC?
Matt any ideas?
Hey Sandeep. Well, sorry I missed your last reply. I didn't have any ideas at the time anyway. But, in a karmic twist, my lack of response has come back to bite me, as I am now suffering through the exact same issue!
Specifically, the problem is that scheduled tasks I have set up in Windows to run "tabadmin backup" will not run under the Run-As user account. I have disabled UAC according to this KB: Resolving "Unable to access service control manager (5)" Error Message | Tableau Software , on all hosts in our cluster and restarted them. I performed the necessary regedits and also changed UAC through the GUI. Still getting the same problem.
My current thought process for the time being is that I'll work around it by setting up the scheduled tasks to run under an account that is not the Run-As user account, but is a separate AD service account that does have Admin rights on the local machines, but does not have any rights within Tableau Server itself, nor will it be the account that Tableau Server is actually running under as a service. I'm not sure if that jibes with your own IT group's policy, but it will achieve my own personal goal of having Server run under an account without local admin rights to my machines.
I'll ask around and see if can figure out some more options. There may be some way to grant rights to manage Services in Windows without making the user a full admin, but that's beyond my expertise to answer.