Permissions considerations for the Symantec Mail Security for Microsoft Exchange service account
|Article:TECH123108|||||Created: 2010-01-09|||||Updated: 2014-05-06|||||Article URL http://www.symantec.com/docs/TECH123108|
During installation on an Exchange server with the Exchange 2010 or 2013 Mailbox role, Symantec Mail Security for Microsoft Exchange (SMSMSE) prompts for a Windows service account. The Windows service Symantec Mail Security for Microsoft Exchange is configured to run with this Windows account. What are the requirements for this user account?
- Exchange 2010 or 2013 with the Mailbox role
In order to access some scanning features on an Exchange 2010 or 2013 mailbox server, SMSMSE must have a service account with appropriate rights.
When SMSMSE is installed on an Exchange 2010 or 2013 Mailbox Server a domain account is used as the service account running the Symantec Mail Security for Microsoft Exchange service.
NOTE: It is possible to configure the service with a LOCAL SYSTEM account instead of a domain account. See the following article for details: How to run the Symantec Mail Security for Microsoft Exchange (SMSMSE) service account as LOCAL SYSTEM instead of a Windows domain account on Exchange 2010 Mailbox role.
The domain user account requires the following rights for proper operation:
- Member of the Active Directory Exchange Organization Management security group.
- Member of the Administrators group on the computer where SMSMSE is installed.
- Have Log on as a service right on the computer where SMSMSE is installed. This right should be assigned by the SMSMSE installer.
- Have the Application Impersonation right. This right should also be assigned by the SMSMSE installer.
- Member of the Active directory SMSMSE Admins security group.
The following documents detail the behavior that you are likely to see if these rights are not assigned and show how to assign the rights, if needed.
- When editing a manual scan in Symantec Mail Security for Microsoft Exchange 6.5 installed on Exchange 2010 mailbox servers, the mailbox and public folder list is not populated.
- Error 1609: The service did not start due to a logon failure" When attempting to start the Symantec Mail Security for Exchange 6.5 service
- During a manual scan on an Exchange 2010 Mailbox server, the scan stops and no messages are scanned
- Content filtering rules with Active Directory user conditions do not apply as configured on Exchange 2010
The SMSMSE Utility service runs under the Local System account.
Article URL http://www.symantec.com/docs/TECH123108