Query Engine Service Account User Rights

Article:TECH115977  |  Created: 2009-01-23  |  Updated: 2009-01-23  |  Article URL http://www.symantec.com/docs/TECH115977
Article Type
Technical Solution


Issue



Is it recommended that the QE service account be of the domain administrator level ?


Solution




It is recommended that the QE service account be of the domain administrator level. This will allow all functionality to operate normally. Specifically, this will allow all caching to function as well as MQE to MQE proxy queries. But, at a minimum, the service account must be administrator equivalent on the host computer. If only local administrator privilege exists, User, Group, Last Logon, and Computer caching as well as MQE to MQE proxy queries will not function but all other operations should function without issue. The QE service account requires the following user rights assignment on the host computer. No user rights are dynamically added or removed at run-time.

The QE installer directly grants these user rights to the QE service account on the QE machine.

- Act as part of the operating system
- Increase quotas
- Log on as a service
- Replace a process level token

The following rights are indirectly granted to the QE service account since it is an effective member of the local administrators group.

- Backup files and directories
- Bypass traverse checking
- Manage auditing and security log
- Modify firmware environment values
- Restore files and directories
- Shut down the system
- Take ownership of files or other objects





Legacy ID



2009072317495253


Article URL http://www.symantec.com/docs/TECH115977


Terms of use for this information are found in Legal Notices