cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

EV Service account

Go to solution
Aaron_Heid
Level 4

‎03-16-2007 10:01 AM

My EV Service account is a member of domain admins, does it need to be and why? Appreciate any input, thanks.
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Martin_Widemann
Level 4

‎03-16-2007 10:08 AM

It Depends, is your EV Server installed on a DC then you need to put the VSA within the Domain Admins Security Group (because there is no locale Admin Group on a DC). Otherwise, if you have EV installed on a seperate Machine then you should take him out of this Group because you don�t need him within the Group.

But if the VSA is Member of Domain Admins then you have to change some Exchange Permissions in case of EMAIL Archiving, because the Domain Admin Group had per Default Deny Rights on Send as and Receive as.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Martin_Widemann
Level 4

‎03-16-2007 10:08 AM

It Depends, is your EV Server installed on a DC then you need to put the VSA within the Domain Admins Security Group (because there is no locale Admin Group on a DC). Otherwise, if you have EV installed on a seperate Machine then you should take him out of this Group because you don�t need him within the Group.

But if the VSA is Member of Domain Admins then you have to change some Exchange Permissions in case of EMAIL Archiving, because the Domain Admin Group had per Default Deny Rights on Send as and Receive as.
0 Kudos

Go to solution
TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

‎03-16-2007 10:11 AM

Martin is correct; it is recommended to NOT have him in Domain Admins
0 Kudos

Go to solution
Micah_Wyenn
Level 6

‎03-16-2007 01:06 PM

Yeah,
You shouldn't have'm in domain admins...the highest security I'm ever comfy recommending is account operators. Reasoning behind that was in 6.0 it always tried to create a new account (complete w/ mailbox) for you (even if you did one before hand) and error'd if it didn't have that ability. In 7.0 you can specify the mb without it needing all those rights.

So it's actually debatable if you really need to make the service account have all those perms anyhow. I'm sure there's a good reason for it...for example if you're doing PST migrations and want to give account operators (or another admin-like group) local admin rights to your clients...or FSA prolly is good reason for that as well. Oh well, time to stop babbling.

micah
0 Kudos