AndrewB
16 years agoModerator
Separate Service Account for Exchange Archiving and FSA
Looking for anybody share their experience and expertise on how to utilize a separate service account for Exchange Archiving and for FSA. We have been handed down a security requirement to do this over concerns about a single process account having too much access.
(The point is not to battle with the security folks, just need to determine if it's something that is supported configuration in EV and how to do it.)
We are currently on EV 2007 SP5 running on Win2k3 SP2, archiving from Exchange 2007 SP1 running on Win2k8 and FSA from NetApp filers. Planning to upgrade within the next few months to V8 SP1. The Exchange archiving and FSA tasks are on separate servers.
All input is greatly appreciated.
(The point is not to battle with the security folks, just need to determine if it's something that is supported configuration in EV and how to do it.)
We are currently on EV 2007 SP5 running on Win2k3 SP2, archiving from Exchange 2007 SP1 running on Win2k8 and FSA from NetApp filers. Planning to upgrade within the next few months to V8 SP1. The Exchange archiving and FSA tasks are on separate servers.
All input is greatly appreciated.
- Also, it is pretty easy to set the Exchange task to run under different accounts.
If you look on the properties of the Task you will see the Log on tab
Exchange Mailbox Task Properties: Log On
Select the account that this task will run under. If required, you can run different tasks under different accounts. This may be useful if you have different Exchange Server environments.:
Use the Vault Service Account. Select this to use the Vault Service Account.
Use this account. If you do not want this task to log on as the Vault Service Account, select Use this account and then click Browse to pick from the list of accounts. Enter the account's password and confirm it.
The account you pick must have appropriate permissions; see Creating the Vault Service account for details.
Additionally, the account that you pick must have the following permissions:
Act as part of the operating system
Log on locally
Log on as a service
Also, the Vault Service account must have the permission "Replace a process level token".
If the accounts do not already have these permissions, add them as follows:
On the Windows Start menu, click All Programs > Administrative Tools > Local Security Policy.
In the left pane of the Local Security Settings window, expand Local Policies and click User Rights Assignment.
Add your preferred account to Act as part of the operating system, Log on locally, and Log on as a service.
Add the Vault Service account to Replace a process level token.