A common question that comes up on various forums from time to time is the vexed question of how to set credentials for enterprise manager to perform the various os tasks that it is able to on Windows hosts. The root cause of this is almost certainly the fact that the error message that is fed back when EM fails to authenticate correctly to the OS is

Invalid username or password

When more often it should really read

Insufficient privileges.

There are 4 system privileges that you need to give to the os account that you use for EM authentication to the O/S these are

• Logon as a batch job
• Act as part of the operating system
• Adjust memory quotas for a process
• Replace a process level token

On Windows 2000 machines the third is named Increase memory quotas. In addition it seems sensible to me to create an account specifically for this purpose - either local to the server or a domain account - and grant these rights to the account, make it a member of the ORA_DBA group if necessary and revoke the logon interactively privilege from the user.

You can adjust these settings as an administrator using the group policy editor - or persuade your sysadmins to create a domain wide policy along these lines using the User Rights Assignment tree under Windows Settings. The group policy editor can be fired up by choosing Start |run gpedit.msc.