Video Screencast Help

Permissions for Clearwell Service Account for EV

Created: 08 Apr 2013 • Updated: 09 Apr 2013 | 9 comments
Scott _Hastings's picture
This issue has been solved. See solution.

Clearwell is being installed at an account I support. Symantec is doing the install, but they are having touble with the account that gives Clearwell access to EV and I suppose the accounts that run services as well.

Do I just need to assign permissions to this account as stated below. Are all pemissions needed like SQL?

 The VSA must belong to the Local Administrators group on all Enterprise Vault servers  


The installation script does this. Do I need to add these manually?·        

  •            Log on as a service
  • ·         Act as part of the operating system
  • ·         Debug programs
  • ·         Replace a process-level token
  • ·         Log on as a batch job ·    

The VSA must have Full Control permissions (both NTFS and Share) on the PST Holding folder, and it is recommended that this folder be located on the Enterprise Vault server. 

The VSA’s requirements in SQL Server

Note: Granting the sysadmin server role to the VSA covers all of the necessary permissions. Read on for the least-privilege requirements.

·         The VSA must have a SQL login with the following permissions to the SQL server (instructions):

Server role: dbcreator

Server permission: View server state

·         The VSA also requires the following rights on the msdb system database (instructions):

Select permissions on the sysjobs, sysjobschedules, sysjobservers, and sysjobsteps tables.

SQLAgentUserRole database role

The VSA’s requirements in Exchange

·         The VSA requires full access to all mailboxes and public folders. Choose one of the following options:

·         For Exchange 2003 and earlier, grant the permissions manually using Exchange System Manager (instructions).

·         For Exchange 2007 and later, grant the permissions using the PowerShell script included on the Enterprise Vault media (instructions).

·         For any version of Exchange, grant the permissions manually using ADSIEdit (list of the required permissions).

·         If archiving from Exchange 2010, the VSA is required to have its own mailbox with a custom Throttling Policy (instructions).
(Note that the mailbox receiving this Throttling Policy is the mailbox associated with the VSA, not the EV System Mailbox discussed below. They are separate mailboxes.)

·         In a multiple-domain environment, the VSA must be able to access all domains associated with any Exchange Servers that are to be archived (further details and examples).

·         The VSA should not be a member of the built-in Exchange Organization Administrators group.

Thanks for any help

Operating Systems:

Comments 9 CommentsJump to latest comment

Scott _Hastings's picture

 I guess this question is just to dumb.

TonySterling's picture

Hi Scott,

Sorry, I don't understand the issue.  Are you using the VSA?  Also, do the EV services (the crawler and retriever), run as the VSA?  That would be the simplist thing.


Liam Finn's picture

On a normal EV integration you dont use the VSA account on the services

You create an account on the domain lets say called CWAppAdmin

This account needs to be added to the Power Administrator role in EV

The EsaEVCrawlerService and the EsaEVRetriever service need to use this account

The account also needs to be local admin on the Clearwell appliance

Once that is done you next add a source account within Clearwell to do all the talking with EVfor holds and collections and such. This source account should be the VSA account.

Finally you need to add EV as a source and select the VSA account which you specified as the source account in Clearwell for EV

TonySterling's picture

Hi Liam,

On page 19 in the Symantec Clearwell System Administration Guide 7.1.2.pdf it says:

  1. EsaEvCrawlerService

    Responsible for crawling and retrieving documents on Symantec Enterprise Vaults. The login user name must match the name used by the Symantec services (generally the “Vault Service Account”).

Are you saying that isn't correct or am I misunderstanding the recommendation?  Also, what is the downside to using VSA?



Scott _Hastings's picture

So should I use the VSA ? The account does not want to do that. I think they are concerned as to what would happen if the VSA Password was changed or something like that.

Tony/Liam , are you saying to use the VSA on the Clearwell side for collections and holds


An account to run the EsaEVCrawlerService and the EsaEVRetriever service that needs:

  • To be a Power Administrator role in EV
  • To be local admin on the Clearwell appliance

I apologize. I've never touched a Clearwell Appliance and the account asking for my guidance ... Go figure!

Liam Finn's picture


I'm saying I have not set it up that way as I perfoer to keep the accounts seperate.


TonySterling's picture

Honestly, if Symantec is doing the install they should know this!

Basically the account that the services is running under needs to be a Power Admin in EV and a Local Admin on the Clearwell box if it isn't the VSA. 

You will also create a Source Account.  Liam and I are both saying that the source account should be the VSA.

What are the actual issues you are seeing? 

Scott _Hastings's picture

Tony.... I've told them that no less that 5 times!  ;-)

Who gets the Solution?

Liam Finn's picture

I will contact you offline on this i want to know who is involved in the install