Critical System Protection

Our SCP management server is already in place and is using a domain account for it's services.

When installing the agents, should I use this same service account, or can I just allow it to use a local system account?

Typically I would use a domain service account for such things, but often it's required for authentication. Since the agent install gives an option, I'm not sure if a domain account is required.

I ask this question because we have several windows agents that were installed using the local system account and if I can avoid it, I would like to leave them this way.

Is there a valid reason I should change the agents to use a domain service account?

If so, can I just reconfigure the agent services and cycle them or do I have to uninstall and then re-install each agent?

Thanks

Rob

In SCSP, most people run the agent under the Local System account.  

The advantage of this is that the password will not expire, like most domain-based usernames, so the SCSP services will not have an issue starting.

Some people like to run the SCSP agent under its own AD account, and they usually disable password expiration for the account.  You will need to give this account local admin rights on the agent machines in order for the SCSP agent to work properly.  Some advantages of this is more granular control of the agent services, and the ability to verify through AD logs if the services have attempted to start running (look for AD logon events for that user).  The potential disadvantage is that the AD account can be disabled, and the CSP services will not be allowed to start.

If you want to change the logon type, the easiest way is to reinstall the agent.  However, you should be able to change the services to run under alternate credentials in services.msc.

Thanks Chuck for the quick response.

At this point I will just continue to use the local system to keep it simple. We already have enough problems having to change service account passwords for other applications.

Rob