How to run the Symantec Mail Security for Microsoft Exchange (SMSMSE) service account as LOCAL SYSTEM instead of a Windows domain account on Exchange 2010 Mailbox role

Article:HOWTO77387  |  Created: 2012-08-02  |  Updated: 2013-12-19  |  Article URL http://www.symantec.com/docs/HOWTO77387
Article Type
How To



During installation of SMSMSE on an Exchange 2010 server with the Mailbox role the installer prompts for a Windows service account. The installer configures the Windows service Symantec Mail Security for Microsoft Exchange to run as this service account.  Some organizations do not want to run Windows services as domain accounts for security reasons or because of Windows Domain password reset requirements.

NOTE:  Installing SMSMSE on an Exchange server without the Mailbox role does not require a Windows service account.  The SMSMSE services run as LOCAL SYSTEM.

Use the following steps to configure the SMSMSE service to run as the LOCAL SYSTEM account:

1. Ensure SMSMSE is installed correctly and entering a Windows domain account when prompted by the SMSMSE installer.
2. Give the LOCAL SYSTEM account Exchange Application Impersonation permission to the Exchange Mailbox.

Open the Exchange Management Shell and use the following command:

New-ManagementRoleAssignment –Name “SMSMSE” –Role ApplicationImpersonation –Computer <computername>

The following screenshot shows an example with the computer name WINDOWS2008-0:

 

 

3. Set the windows service SMSMSE to run as the LOCAL SYSTEM account.

a. Open the services control panel.
b. Right click on the service Symantec Mail Security for Microsoft Exchange and select Properties.
c. Click on the Log on tab.
d. Select the Local System account radio option.
e. Click the OK button.

4. Restart the windows service Symantec Mail Security for Microsoft Exchange.
5. Remove the original Windows service account used from the Exchange Organization Management group.

a. Open the Active Directory Users and Computers MMC (Start|Administrative Tools|Active Directory Users and Computers).
b. Click the tree item Active Directory Users and Computers|<domain name>|Microsoft Exchange Security Groups to display the Exchange security groups (<domain name> is the name of the Active Directory domain).
c. Double click the group Organization Management to display the Organization Management group properties.
d. Click the Members tab to display the users in the group.
e. Click the Windows service account used for the SMSMSE installation and click the Remove button.
f. Click Yes at the confirmation dialog.
g. Click OK to close the Organization Management group properties.

Related Articles

Permissions considerations for the Symantec Mail Security 6.5 for Microsoft Exchange service account

When editing a manual scan in Symantec Mail Security for Microsoft Exchange 6.5 installed on Exchange 2010 mailbox servers, the mailbox and public folder list is not populated.
Error 1609: The service did not start due to a logon failure" When attempting to start the Symantec Mail Security for Exchange 6.5 service
During a manual scan on an Exchange 2010 Mailbox server, the scan stops and no messages are scanned
Content filtering rules with Active Directory user conditions do not apply as configured on Exchange 2010



 

 




Article URL http://www.symantec.com/docs/HOWTO77387


Terms of use for this information are found in Legal Notices