This topic has not yet been rated - Rate this topic

Understanding User Roles

Updated: December 10, 2012

Applies To: Microsoft HPC Pack 2008 R2, Microsoft HPC Pack 2012, Windows HPC Server 2008 R2

There are two types of HPC cluster user roles:

Administrator. HPC cluster administrators have permissions to manage all aspects of the cluster, including configuring the HPC cluster network, deploying and managing nodes, and configuring the HPC Job Scheduler Service. Cluster administrators may also submit and manage jobs, tasks, and job templates that are created in or submitted to the cluster by other users.
User. HPC cluster users have permissions to submit tasks and jobs to the cluster, and to manage tasks and jobs that they have submitted. When a job that was submitted by an HPC cluster user fails, the user is able to diagnose, repair, and resubmit that job. Although HPC cluster users can see the jobs that have been submitted by others users, they cannot cancel those jobs or resubmit them. Also, HPC cluster users cannot view the job details and tasks for jobs that they did not submit themselves.

Active Directory Domain Services (AD DS) is a prerequisite to installing Microsoft® HPC Pack because the authentication process for users and computers relies on the services provided by AD DS.

At installation time, the Domain Admins group is added to the cluster as an HPC cluster administrator, and there are no HPC cluster users. You have to manually add domain users or domain groups as HPC cluster administrators, if they are not already members of the Domain Admins group.

When you add a new HPC cluster administrator on your cluster, the domain account for that user or group is automatically propagated to all compute nodes and broker nodes on the cluster, as a member of the local Administrators group of each node. In the case of workstation nodes, HPC cluster administrators are not propagated, so that user rights on the workstation nodes are not affected.

To be able to submit a job to the cluster, a domain user must be added as an HPC cluster user, or the domain user must be a member of a domain group that has been added as an HPC cluster user. HPC cluster users are not propagated to any type of node.

Important
If the HPCAdminMirror and/or HPCUsers groups are missing from the head node, then administrators and users will not propagate to compute nodes.

To restore functionality, you can run the following batch script from an elevated command on the cluster head node. The script recreates the groups then restarts the HpcManagement service to rebuild the user memberships of the groups, which will then get propagated to the cluster compute nodes.

net localgroup /add HPCAdminMirror /comment:"This group is used by HPC services to grant HPC administrators the ability to submit jobs to a cluster when running with standard user privileges. Do not modify this group directly; use the documented methods for adding and removing HPC administrators."
net localgroup /add HPCUsers /comment:"Users that can submit jobs to the HPC cluster"
net stop hpcmanagement & net start hpcmanagement

Note
For more information about HPC user roles, see the security considerations for designating HPC cluster users and administrators in the Windows HPC Server Technical Library.

Additional references

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)