Permissions and privileges required by the Vault Service account on Windows file servers

Article:HOWTO83407  |  Created: 2013-01-18  |  Updated: 2013-07-12  |  Article URL http://www.symantec.com/docs/HOWTO83407
Article Type
How To


Subject


Permissions and privileges required by the Vault Service account on Windows file servers

The FSA Agent and other FSA processes run on target Windows file servers under the Vault Service account. To perform the required tasks, the Vault Service account requires certain permissions and privileges on the file server:

  • The Vault Service account can run as a member of the built-in local Print Operators group on the file server, with an additional set of minimal permissions and privileges.

  • Alternatively, the Vault Service account can run as a member of the local Administrators group on the file server. The Administrator rights allow the account to perform the additional tasks of installing the FSA Agent and configuring the resource for a file server cluster. However, granting local Administrator rights to the Vault Service account on a file server may not always be advisable. For example:

    • Your company may forbid the granting of local Administrator rights to computer service accounts.

    • If the file server is a domain controller, you should not make the Vault Service account a local Administrator. An account that is a member of the local Administrators group on a domain controller is promoted to a Domain Administrator. We recommend that you do not make the Vault Service account a Domain Administrator.

If the Vault Service account is not a member of the local Administrators group, you must use a suitable account that is a member of that group when you install the FSA Agent, or if you configure the FSA resource for a Windows Server failover cluster.

See Account requirements for managing FSA with Windows file servers.

Note the following:

  • When you install the FSA Agent, either from the Administration Console or manually, Enterprise Vault adds the Vault Service account to the Print Operators group on the file server, and configures the additional set of minimal permissions and privileges.

  • If you do not install the FSA Agent on a file server, you must grant the required permissions and privileges to the Vault Service account manually.

    See Granting permissions to the Vault Service account if you do not install the FSA Agent.

  • To support the FSA resource on VCS-clustered file servers, you must make the Vault Service account a member of the local Administrators group on the VCS cluster nodes.

An appendix to this guide lists the permissions and privileges that the Vault Service account requires on a Windows file server.

See About the permissions and privileges required for the Vault Service account on Windows file servers.

See Adding a Windows file server to File System Archiving

See Account requirements for managing FSA with Windows file servers


Legacy ID



v81703431_v41328148


Article URL http://www.symantec.com/docs/HOWTO83407


Terms of use for this information are found in Legal Notices