Showing results for 
Search instead for 
Did you mean: 

How to give VSA (Vault Service Account) permissions/privileges to another account

Level 2

Hi all,

I need to give some accounts the same permissions/privileges that Vault Service Account (VSA) has.

In fact, some EV admins need to do some reconfiguration tasks and I don't want to give them the VSA password.

How can they perform these tasks withou using the VSA?


Carlos Eduardo Marins.


Level 6

Have you had a look at the Roles Based Administration:

Working for

Level 2

Indeed I had a look yesterday.

The problem is that it seems not possible to give VSA privileges to another account.

For example, the 'Change Service Account' is not available to any default roles.

Is it possible to give the 'Change Service Account' permission to any role (even a customized role)?



Carlos Eduardo Marins.

Level 5

Why would you need to change the Vault Service Account? Maybe you can share with us why you need the ability to do this and we can then determine the best approach from there. The Power Administrator role has the ability to change nearly all Enterprise Vault configuration settings.

Level 2

Fair enough.

The problem is: We're in the midle of a Microsoft Domain migration.

The EV is in domain A.

The EV saves its Indexes, partitions (both open and closed) on a file server (FS1) on Domain A.

This file server (FS1) is going to be migrated to the new domain (Domain B).

The VSA is a domain account on Domain A.

We already migrated VSA to Domain B (using Active Directory Migration Tool - ADMT), so that VSA on Domain B has the SID of VSA on Domain A (SID Historyattribute).

We're going to use the migrated VSA on Domain B (the same name and password).

According to Symantec EV Administration Guide (38-40), to change the VSA one need to open EV Console using the existing VSA.

I have 2 concerns: Using the existing VSA to change itself and if anything goes wrong in this process, rolling back can be a time-taking task.

I believe that if I have another account with the same privileges that the VSA it would be faster to recover from problems.

We only have Exchange Journaling and Archiving.

Bellow is the excerpt from the EV Admin Guide.


Carlos Eduardo Marins.

Changing the Vault Service account

If you need to change the Vault Service account, this section describes how to


Note: You are recommended not to change the account name if possible, because

of the amount of work involved, and the potential for introducing mistakes that

take time to rectify.

Before you change the account, ensure that the following apply:

■ The new Vault Service account is part of the Administrators group, with

permission Full Control (All), on each Enterprise Vault computer in the

Enterprise Vault Site.

■ If Exchange Server archiving is implemented, the new account has full

permissions on the Microsoft Exchange Server.

■ The Microsoft Message Queue security has been set up to grant the

Administrators group access to the Enterprise Vault queues.

■ The new account has database creator access on the SQL server.

■ If you use File System Archiving, you must ensure that the new account has

the required permissions and privileges on the following:

■ All target Windows file servers.

■ Other Windows servers on which the FSA Agent is installed: any proxy

servers for FSA Reporting and File Blocking agent servers for NetApp filers.

If you do not make the Vault Service account a member of the local

Administrators group on the file server, you must grant the account a set of

minimum permissions and privileges. See the appendix “Permissions and

privileges required for the Vault Service account on Windows file servers” in

Setting up File System Archiving.

For servers on which the FSA Agent is installed, you can use the

EVFSASetRightsAndPermissions utility to help you set the required

permissions and privileges. See “EVFSASetRightsAndPermissions” in the

Utilities guide.

■ If SharePoint Server archiving is implemented, add the new Vault Service

account to the SharePoint sites, or to the group that contains the old Vault

Service account. The new account must be a local administrator on the

SharePoint Servers.

For instructions on how to set permissions for the Vault Service account, see

Enterprise Vault prerequisite software and settings in Installing and Configuring.


Note the following:

■ Always use the Administration Console to specify a new password for the Vault

Service account or to change the Vault Service account itself. Do not use the

Windows ServicesMMCsnap-in to edit the logon credentials for an Enterprise

Vault service unless you are instructed to do so.

■ If you ever change the password of the Vault Service account, and you have

installed an add-on such as Enterprise Vault Discovery Collector, then you

may also need to change the user account credentials of the Vault Service

account in the add-on. See the documentation that accompanies the add-on

for more information.

■ If you change only the password of the Vault Service account, and you have

installed the FSA Agent on any computers, you must update the logon

credentials that the FSA Agent services use.

See “Updating the logon credentials of the FSA Agent services” in Setting up

File System Archiving.


To change the Vault Service account

1 Start the Administration Console as the existing Vault Service account.

2 In the Administration Console, open Directory Properties and click the Service

Account tab.

3 Change the Vault Service account details to reference the new account.

4 On SharePoint servers, run the Enterprise Vault SharePoint Configuration

wizard and specify the new Vault Service account credentials.

5 If you have installed any add-ons such as Enterprise Vault Discovery Collector,

you may need to change the Vault Service account credentials in the add-on.

See the documentation that accompanies the add-on for information on how

to do this.

6 Restart all Enterprise Vault services on all Enterprise Vault servers in the

Enterprise Vault Site.

7 Restart the Enterprise Vault services on any other computers that have

Enterprise Vault services installed. This includes the FSA Agent services on

any computers that have the FSA Agent installed.

See the following technical note for a summary of the various accounts and

permissions that are required by Enterprise Vault:


Level 5

During the migration, are you/do you have SID filtering disabled between the domains so the sidHistory attribute will work? When using ADMT, you should run the security translation wizard in ADD mode on the Enterprise Vault server and verify everything works for a little while. Once verified, you can run again in replace mode to clean up entries from the old domain. Doing it this way will also help you if you need to rollback to the old domain.

As for your concerns, I don't believe it takes too long to configure the vault service account permissions. You could always pre-strage another account with the required Exchange server permissions, file system permissions and local permission on the Enterprise Vault server and just not change the service account in the Administation console.

Are you also moving to a new Exchange environment or will you be using a resource domain for Exchange?

Level 2


I believe you got it wrong.

I'm not going to migrate EV server from Domain A to Domain B.

EV Server is still going to be on Domain A.

File Server 1 (FS1) is that's going to be migrated to Domain B.

The guys who will migrate FS1 are going to run ADMT with the security translation wizard in ADD mode.

EV Server uses FS1 to store Indexes and partitions (both open and closed).

Regarding the Exchange environment, we have mailboxes in both domains (A and B). In a near future the Exchange will be completely on the new domain (Domain B). EV is running smoothly in our current configuration.

But now we need to prepare for the FS1 migration.


Carlos Eduardo Marins.