MORE INFORMATION

The account that is used to start the Cluster service must be a minimum of a domain-level USER account, and it must be added to the local administrative group on each node in the cluster. Add the account to the Local Administrators group on each node in the cluster by using either the User Manager tool in Microsoft Windows NT 4.0, or Computer Management in Microsoft Windows 2000 Server or in Microsoft Windows Server 2003.

Note Many of the rights that are mentioned in this section are assigned "by proxy." The Cluster service account must be a member of the local administrator group on the node. Therefore, if the local administrators group has a specific right, typically you do not have to add the Cluster service account. However, if you are having difficulties with the rights for the Cluster service account, you can explicitly grant all the rights directly to the account that starts the Cluster service. In Windows Server 2003, you must explicitly assign the Cluster service account to the local Administrators group of each node. For more information about a related topic, click the following article number to view the article in the Microsoft Knowledge Base:

Make sure that the following user rights are granted to either the local Administrator group or the domain level Cluster service account.

Windows Server 2003

Note If you change the account that is used to start the Cluster service, you must use Computer Management for Windows Server 2003 to change the account information on each node in the cluster. To do this, follow these steps:

1. Start Computer Management for Windows Server 2003, expand the Services and Applications branch, and then click the Services branch.
2. In the right pane, double-click Cluster Service. Select the Log On tab, and then update the account information.

To function correctly in Microsoft Windows Server 2003, the Cluster service account explicitly requires the following rights for all nodes in the cluster:

• Act as part of the operating system
• Adjust memory quotas for a process
• Back up files and directories
• Increase scheduling priorities
• Log on as a service
• Restore files and directories

Also, make sure that the Local Administrator Group has access to the following user rights:

• Debug programs
• Impersonate a client after authentication
• Manage auditing and security log

You can grant these rights in the following locations:

Note If you create a Group Policy setting to update the Impersonate a client after authentication rights policy setting, make sure that the Cluster service account is listed in the policy setting in addition to the Local Administrators group and the account that is called SERVICE. If the Cluster service account is not listed, the computer may no longer have access to Windows Management Instrumentation (WMI). By default, these accounts are listed in the Impersonate a client after authentication rights policy. However, if you create a Group Policy setting without adding the Cluster service account, the local policy setting is overwritten, and WMI access fails.

Windows 2000 Server

Note If you change the account that is used to start the Cluster service, follow these steps:

1. From the desktop, click Start, and then click All Programs.
2. Click Administrative Tools, and then click Services. In the right pane, double-click Cluster Service.
3. Select the Log On tab, and update the account information.

The Cluster service account requires the following rights on all nodes in the cluster to function correctly:

• Act as part of the operating system.
• Back up files and directories.
• Increase quotas.
• Increase scheduling priority.
• Load and unload device drivers.
• Lock pages in memory.
• Log on as a service.
• Restore files and directories.

Also, make sure that the Local Administrator Group has access to the following user rights:

• Debug programs
• Impersonate a client after authentication
• Manage auditing and security log

You can grant these rights in the following location:

Windows NT 4.0

To configure the user rights on a Windows NT 4.0 cluster node, click User Manager, click Policies, click User Rights. Make sure that you click Show Advanced User Rights.

The Cluster service account requires the following rights on all nodes in the cluster to function correctly:

• Back up files and directories
• Increase quotas
• Increase scheduling priority
• Load and unload device drivers
• Lock pages in memory
• Log on as a service
• Restore files and directories

Additional things to consider

When you remove a required right from the Cluster service account, you may cause unexpected behavior. The Cluster service may not start, or the service may not create certain clustered resources or bring these resources online. For example, if the Cluster service or the local administrator group does not have a particular user right, the Manage auditing and security log user rights assignment cannot create a Microsoft Distributed Transaction Coordinator (MSDTC) resource because the Cluster service cannot create the required crypto checkpoint settings.

Another example of this problem may occur when you modify the Access this computer from the network user right. You can modify this user right in the following location:

By default, the Everyone and Administrator groups are both assigned this right. However, if you remove this right from these groups, and you do not specifically add the Cluster service account, you may not be able to join nodes to an existing cluster. Additionally, you may receive an "Access Denied" error when you try to access the cluster by using Cluster Administrator (Cluadmin.exe).

If an organization implements Group Policy objects that override the local security policies and that remove a user right from the Cluster service by changing the effective user rights, the Cluster service will fail at some point. To resolve this problem, follow these steps:

1. Create an organizational unit (OU) in the domain or in the forest, and then block policy inheritance on that OU.
2. Move the cluster nodes into the OU.
3. To inherit the new user rights, stop and restart the Cluster service on each node.

If you have Kerberos authentication enabled for any one of a cluster's virtual servers, and you change the Cluster service account, you may affect access to the computer object in Active Directory directory service. Before you enable the Kerberos protocol for any virtual servers, see the following Microsoft Knowledge Base article:

Additionally, make sure that the Cluster service has the following user rights for computer objects in the appropriate OU:

• Reset password
• Change password
• Validated write to DNS Host Name
• Validated write to ServicePrincipalName