Client Security Best Practices Analyzer tool: Action account check

Applies To: Forefront Client Security

The collection server uses the action account to run server-side scripts and security state assessment scans.

The action account must be a local administrator on the collection server. If this is not the case, you must either grant the action account these privileges, or if you're reusing the DAS account for the action account, you must grant the DAS account these privileges.

To determine if the action account has the correct permissions, the Microsoft Forefront Client Security Best Practices Analyzer tool determines whether the server contains collection components. If so, the tool determines whether the action account is a member of the local administrators group. If the check fails, you must grant the action account local administrator privileges.

Important

If the action account is a member of a group that has been granted local administrator privileges on this server, then you can disregard the failed-check message. The check does not verify whether the action account is a member of a group that is part of the local administrator group; instead, the check verifies whether the action account itself is a member of the local administrator group.