Export (0) Print
Expand All

Creating installation and service accounts

Published: December 16, 2009

Applies To: Forefront Client Security

Before installing Client Security, make sure to create the appropriate installation and service accounts and assign any necessary permissions to them. In most cases, Client Security will automatically assign permissions to the service accounts as part of setup. For the action account, however, you must grant local administrator privileges on the collection server.

Installation account

Before installing and deploying Client Security, make sure to create the appropriate installation account for installing and verifying your installation. This account must be a local administrator on all of the servers.

To deploy Client Security to the client computers, you must use an account that has permission to create, edit, and deploy policies.

For more information about creating user roles for managing Client Security, including details on separate roles for creating policies and for deploying policies, see Working with user roles (http://go.microsoft.com/fwlink/?LinkId=86555) in the Administrator's Guide.

Service accounts

You will be required to enter information about service accounts during the installation of Client Security and its software prerequisites. You will need to manually grant permissions after installing Client Security.

It is recommended that you use a single domain user account for all of the Client Security service accounts.

 

Account Type Description

Data Access Server (DAS) account

Domain user and, in some cases, local administrator on collection server

If you are reusing the DAS account for the action account, you must grant the DAS account local administrator privileges on the collection server.

If User Account Control (UAC) is enabled on the collection server, you must manually add the DAS account to the Mom Administrators local group after the collection server role has been installed.

The collection server uses the DAS account to access the collection database.

Client Security automatically grants the DAS account permissions as part of setup.

Reporting account

Domain user

The reporting server uses the reporting account to access the reporting database and the collection database.

Action account

Domain user and local administrator on the collection server

The action account must be a local administrator on the collection server. You must either grant the action account these privileges, or if you're reusing the DAS account for the action account, grant the DAS account these privileges.

The collection server uses the action account to run server-side scripts and security state assessment scans. The action account must be a domain user account.

Data Transformation Services (DTS) account

Domain user

The reporting server uses the DTS account to run a Windows Scheduler task (a DTS job) that transfers data from the collection database to the reporting database.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft