Planning ACM and Discovery and Risk Assessment Accounts

  • Article

 

Applies to: Audit and Control Management Server

Summary: Learn which accounts and privileges are required for Audit and Control

What accounts do I need to create before I begin?

Before you begin your installation of Microsoft Audit and Control Management Server 2013 and Microsoft Discovery and Risk Assessment Server 2013, you need to have the required service accounts established. Each of these accounts serves a different purpose and the privileges required vary. It is helpful to create a list of these accounts as you will be prompted for them during the installation and configuration process.

Required Accounts

Account Description Where Created? Privileges Required

Installation account

Windows Domain

  • This account is used to install and configure the software and database, but does not have to be used on an ongoing basis for the application.

  • Must be administrator on the server where software is being installed and configured.

  • “Sysadmin” permission to the database server where ACM database will be created and hosted.

ACM web site application pool identity

Windows Domain

  • Log on as a Batch Job user right required on all ACM web servers.

  • Read/Write access to the processing folders.

  • Read/write access to the Versions folders. Read/write is required so files can be removed from the Versions folder if a site administrator removes files from the My Files page.

  • “dbo” access to the ACM database is required.

  • If “dbo” access is not granted, read/write to the ACM database is required.

  • If “dbo” access is not granted, execute permissions for stored procedures and functions in the ACM database.

ACM Application Service Account

Windows Domain

  • Account must be in the Administrators group on all application servers.

  • Log on as a Service user right is required on all application servers.

  • Optional: To detect the identity of the user account when someone changes a file, the Service Account must be in the Administrators group on all file servers where monitored files are stored. Otherwise, the system will read the “Last Saved By” property for Excel files to determine who changed the file.

  • Read access to all file shares, folders and files which will be monitored by the system.

  • Read access to all SharePoint Document libraries, folders, and files which will be monitored by the system. Must be able to browse the directory structure to track files in subfolders of the monitored folder.

  • Use Remote Interfaces permission is required on all SharePoint sites where files are being tracked.

  • “dbo” access to the ACM database is required.

  • If “dbo” access is not granted, read/write access to the ACM database is required.

  • If “dbo” access is not granted, execute permissions for stored procedures and functions in the ACM database.

Discovery & Risk application account

Windows Domain

  • This account is used to run the Discovery and Risk Assessment application.

  • Must have at least Read access to all network shares and SharePoint locations that will be scanned. If the account running the application does not have access to read the files in scanned locations, no files will be reported from those locations.

  • Must have read and write permission to the associated ACM Server database.