DC Agent has insufficient permissions

DC Agent may have been installed as a service using the Guest account, equivalent to an anonymous user to the domain controller.

In order to perform computer polling, the Websense DC Agent service requires domain admin permissions. In some environments (typically very large enterprise networks), DC Agent requires enterprise admin permissions.

If you have disabled domain discovery and computer polling, and are just using domain controller polling while maintaining the dc_config.txt file manually, DC Agent can run as any network user with read access to the domain controller.

To grant DC Agent domain admin privileges:

Steps

  1. On the DC Agent machine, create a user account with a descriptive name, like WsUserID. This account exists only to provide a security context for DC Agent when it requests information from the directory service.
    • Assign the new account domain admin privileges in all domains.
    • Assign the same password to this account in all domains.
    • Set the password to never expire.

    Make a note of the user name and password.

  2. Open the Windows Services tool:
    • Windows Server 2016: Go to Start, then select All Programs > Windows Administrative Tools > Services
    • Windows Server 2012: Server Manager > Tools > Services
    • Windows Server 2008: Start > Administrative Tools > Services
  3. Scroll to the Websense DC Agent service, right-click the service name, and then select Stop.
  4. Right-click the service name again, select Properties, and then click the Log On tab.
  5. Select This account, and then enter the account name and password that you created for DC Agent. Some domains require that the account name be entered in the format domain\username.
  6. Click OK to return to the Services tool.
  7. Right-click the service name again, and then select Start.
  8. Close the Services tool.
    You may also need to assign User Service the same administrative privileges as DC Agent.