Why does the AppManager Service account need the 'logon locally' right?
NetIQ AppManager Service Accounts
This is a basic NT Operating System permission issue. The domain admin account is necessary since (especially in the case of agentinstall)Â users will be remotely affecting theÂ howÂ the server operates. Agentinstall requiresÂ the Management ServerÂ to remotely access the remote server and create services, start the services and execute the installationÂ tasks on that agent server. An account can only do that if it has "log on locally" permissions.
The "log on as service" permission needs to be in effect to allow for the service to even be started in the first place to carry out these administrative tasks locally on that server. IfÂ the NT administratorÂ account does not have domain admin privileges to another server it will not be able to make the necessary registry changes or start remote processes on another machine. Microsoft requires this functionality, not Netiq.
Log on Locally
Allows a user to log on at the computer's keyboard. By default, this right is granted to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.
Log on as a service
Allows a security principal to log on as a service, as a way of establishing a security context. The LocalSystem account always retains the right to log on as a service. Any service that runs under a separate account must be granted this right. By default, this right is not granted to anyone.