Permissions and privileges required by the Vault Service account on Windows file servers
|Article:HOWTO83407|||||Created: 2013-01-18|||||Updated: 2014-12-04|||||Article URL http://www.symantec.com/docs/HOWTO83407|
The FSA Agent and other FSA processes run on target Windows file servers under the Vault Service account. To perform the required tasks, the Vault Service account requires certain permissions and privileges on the file server:
The Vault Service account can run as a member of the built-in local Print Operators group on the file server, with an additional set of minimal permissions and privileges.
Alternatively, the Vault Service account can run as a member of the local Administrators group on the file server. The Administrator rights allow the account to perform the additional tasks of installing the FSA Agent and configuring the resource for a file server cluster. However, granting local Administrator rights to the Vault Service account on a file server may not always be advisable. For example:
Your company may forbid the granting of local Administrator rights to computer service accounts.
If the file server is a domain controller, you should not make the Vault Service account a local Administrator. An account that is a member of the local Administrators group on a domain controller is promoted to a Domain Administrator. We recommend that you do not make the Vault Service account a Domain Administrator.
If the Vault Service account is not a member of the local Administrators group, you must use a suitable account that is a member of that group when you install the FSA Agent, or if you configure the FSA resource for a Windows Server failover cluster.
Note the following:
When you install the FSA Agent, either from the Administration Console or manually, Enterprise Vault adds the Vault Service account to the Print Operators group on the file server, and configures the additional set of minimal permissions and privileges.
If you do not install the FSA Agent on a file server, you must grant the required permissions and privileges to the Vault Service account manually.
To support the FSA resource on VCS-clustered file servers, you must make the Vault Service account a member of the local Administrators group on the VCS cluster nodes.
An appendix to this guide lists the permissions and privileges that the Vault Service account requires on a Windows file server.
Article URL http://www.symantec.com/docs/HOWTO83407