Predefined Local System Users

Intel AMT has predefined local system users, described in the following table.

User

Description

Supported Intel AMT Releases

$$OsAdmin

This user allows an application with OS System Admin privileges to access a subset of Intel AMT settings without additional AMT credentials, even before setup and configuration was performed. This allows “out of the box” operations. The $$OsAdmin user has access to the following realms:

     GENERAL_INFO_REALM

     LOCAL_SYSTEM_REALM

     LOCAL_APPS_REALM

     EAC_REALM

     STORAGE_REALM (STOR)

     HARDWARE_ASSET_REALM

     EVENT_LOG_READER_REALM

This user also has STORAGE_ADMIN_REALM access before setup and configuration starts or after unconfiguration completes.

This list of realms cannot be changed. The $$OsAdmin user cannot be disabled or removed, nor can its password be changed. Intel AMT regenerates the password every time the host reboots (but no more frequently than once in 24 hours).

This user can access Intel AMT during a remote setup and configuration activity (TLS-PSK or remote configuration) without a need for TLS Mutual Authentication (as required on the network interface) until the setup and configuration program successfully invokes CommitChanges. After that, the policy defined during setup and configuration will be applied.

6.1 and later

The following local users also cannot be deleted, but they can be disabled and re-enabled, and their passwords can be changed by a user with admin privileges:

$$uns

Has access to the LOCAL_APPS_REALM (LOCAPP). Starting with Release 6.1, this user can access Intel AMT during a remote setup and configuration activity (TLS-PSK or remote configuration) without a need for TLS Mutual Authentication (as required on the network interface) until the setup and configuration program successfully invokes CommitChanges. After that, the policy defined during setup and configuration will be applied.

All

$$eac

Has access to the EAC_REALM (EAC) realm.

6.1 and earlier (not supported from Release 7.0)

$$3PDS

Has local access to the STORAGE_REALM (STOR). This user is, by default, disabled but can be enabled by a user with SYSTEM_ADMIN privileges.

6.0 and 6.1 only (not supported from Release 7.0)

 

Accessing the $$OsAdmin Password

Retrieve the $$OsAdmin credentials by invoking the MEI command CFG_GetLocalSystemAccount which returns the user ID (always $$OsAdmin) and a randomly generated password. Alternatively, invoke the WMI method OOB_Service.GetLocalAdminCredentials via the ME WMI provider. (See Intel ME WMI Provider). The PC user who performs this step must have OS Admin privileges on the host platform. Use the returned credentials for WS-Management requests for any of the methods accessible by this user. The General Info sample (Located at:<SDK_root>\Windows\Intel_AMT\Samples\WS-Management\GeneralInfo) demonstrates this procedure.

Addition of the LOCAL_SYSTEM_REALM

Release 6.1 adds the LOCAL_SYSTEM_REALM, which grants access to a number of Intel AMT methods, in addition to the other realms accessible by the $$OsAdmin user. This realm can be assigned to other users.

In Release 6.1, the methods of the AMT_WiFiPortConfigurationService are no longer accessible with LOCAL_APPS_REALM permissions, but are accessible by LOCAL_SYSTEM_REALM.

See Also:

   Functionality to Realm Mapping

   Table mapping classes and methods to realms

 

Copyright © 2006-2013, Intel Corporation. All rights reserved.