cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

EV service account domain admin

ashks2014
Level 5

‎09-19-2017 04:24 AM

Hi All,

Does the VSA need domain admin credentials? Ours is and our security team want to remove the domain admin membership.

Has anyone done this and what were the consequences?

I can see why the domain admin permissions might be needed during install or upgrade but on day-to-basis are they required?

Any advice is appreciated!

0 Kudos
6 REPLIES 6

Kai_Schröer
Level 5
Partner Accredited

‎09-19-2017 04:55 AM

Hello Ashks,

please have a look here:

https://www.veritas.com/support/en_US/article.TECH76700#Vault_Service_Account

It is recommended that the VSA not be a member of the the Domain Admins group.

Have a nice day.

Kai

-----------------------------------
https://twitter.com/pmcs_ev
0 Kudos

Rob_Wilcox1
Level 6
Partner
In response to Kai_Schröer

‎09-19-2017 05:13 AM

I don't know of *anyone* that gives the VSA domain admin.

Working for cloudficient.com
0 Kudos

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified
In response to Rob_Wilcox1

‎09-19-2017 05:21 AM

Hi,

In the Installing and Configuring guide it is specifically recommended to NOT make the VSA Domain Admin. Being a Domain Admin grants (and denies) permissions which are required for the VSA to have. It most likely will mess up the archiving functionality.

So, remove VSA from Domain Admin group asap. The rerun Deployment Scanner on your EV (after you relogged on with the VSA), and verify the required permissions on SQL and Exchange (or what ever else archiving target you use) are still correct.

Regards. Gertjan
0 Kudos

ashks2014
Level 5
In response to GertjanA

‎09-19-2017 08:47 AM

Thanks Guys, it's probably just a legacy thing but our security were very keen to remove the domain admin rights. This will make them happy to hear this.

0 Kudos

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified
In response to ashks2014

‎09-20-2017 12:51 AM

Your welcome. Can you mark one of the answers as solution?

That 'closes' the question, so other users don't open it to answer, and others might have similar question, and then get the answer.

Thanks in advance!

Gertjan

Regards. Gertjan
0 Kudos

VirgilDobos
Moderator
Moderator
Partner    VIP    Accredited Certified
In response to GertjanA

‎09-20-2017 01:24 AM

Hi mate,

As Gertjan pointed, the Domain Admins have some deny permissions ie. deny permissions on mailboxes.

See below:

EV Service Account Permissions: https://www.veritas.com/support/en_US/article.TECH76700#Vault_Service_Account

"It is recommended that the VSA not be a member of the Enterprise Admins group, the Domain Admins group, or any other group that contains a default DENY permission on mailboxes. It is better to start with a standard domain user account and explicitly assign only the required permissions."

--Virgil
0 Kudos