Creating installation and service accounts
Applies To: Forefront Client Security
Before installing Client Security, make sure to create the appropriate installation and service accounts and assign any necessary permissions to them. In most cases, Client Security will automatically assign permissions to the service accounts as part of setup. For the action account, however, you must grant local administrator privileges on the collection server.
Installation account
Before installing and deploying Client Security, make sure to create the appropriate installation account for installing and verifying your installation. This account must be a local administrator on all of the servers.
To deploy Client Security to the client computers, you must use an account that has permission to create, edit, and deploy policies.
For more information about creating user roles for managing Client Security, including details on separate roles for creating policies and for deploying policies, see Working with user roles (https://go.microsoft.com/fwlink/?LinkId=86555) in the Administrator's Guide.
Service accounts
You will be required to enter information about service accounts during the installation of Client Security and its software prerequisites. You will need to manually grant permissions after installing Client Security.
It is recommended that you use a single domain user account for all of the Client Security service accounts.
| Account | Type | Description |
|---|---|---|
Data Access Server (DAS) account |
Domain user and, in some cases, local administrator on collection server |
If you are reusing the DAS account for the action account, you must grant the DAS account local administrator privileges on the collection server. If User Account Control (UAC) is enabled on the collection server, you must manually add the DAS account to the Mom Administrators local group after the collection server role has been installed. The collection server uses the DAS account to access the collection database. Client Security automatically grants the DAS account permissions as part of setup. |
Reporting account |
Domain user |
The reporting server uses the reporting account to access the reporting database and the collection database. |
Action account |
Domain user and local administrator on the collection server |
The action account must be a local administrator on the collection server. You must either grant the action account these privileges, or if you're reusing the DAS account for the action account, grant the DAS account these privileges. The collection server uses the action account to run server-side scripts and security state assessment scans. The action account must be a domain user account. |
Data Transformation Services (DTS) account |
Domain user |
The reporting server uses the DTS account to run a Windows Scheduler task (a DTS job) that transfers data from the collection database to the reporting database. |