Knowledge Base Article: HelpMaster Service Configuration and Service Account Permissions Requirements

HelpMaster Service Configuration and Service Account Permissions Requirements

INFO: SVC Permissions

Service SVC SQL Permissions Requirements Rights Services Email Manager Priority Manager Active Directory Windows Service account

HelpMaster > Email Manager

Installation / Upgrading

5/15/2009 10:16:09 AM

5/23/2018 12:27:44 PM

Average Rating (from {{model.ratings}} ratings)

Applies to

HelpMaster v12 and above

Overview

The following information will help you to configure the minimum security requirements for your HelpMaster services including the Priority Manager, Automation service, Email Manager, and Active Directory services. Please note that the information here relates to Windows security, not the security model within SQL Server or HelpMaster. Note also that the information offered here is the minimum requirements for getting all of your HelpMaster services all running under a single Windows user account. SQL database security must also be configured in accord with the linked article entitled "SQL Security Settings for HelpMaster use" and this must be applied to the account(s) chosen to run each service.

Additional requirements are also outlined below for the Automation, Priority Manager and Email Manager services to access an email system.

Service Account Selection/Creation For All Modules

The selection and/or creation of the Windows user account used to run the HelpMaster services will depend upon the user's environment under which HelpMaster is running. A built-in Microsoft Windows service runs in the background without any GUI or user interaction and generally runs under a built-in Windows system or network account. The HelpMaster services also run without any GUI or user interaction however, they do require a dedicated Windows user account that has access to all of the following resources;

  • The HelpMaster database (if using Windows NT Integrated Authentication for SQL database access),

  • The email server mailbox &/or Microsoft Outlook profile owned by the selected account and stored on the local machine,

  • The network share hosting the HelpMaster common files or working folders location,

  • All local machine resources as a Local Administrator (for service account user impersonation access).

If using Windows NT Integrated Authentication in a domain environment system wide, follow the requirements in option 1 below. If the HelpMaster services are not being run in a Windows domain environment, then SQL Server Login authentication MUST be used for all HelpMaster service database connections, and the service account needs to be configured as outlined in option 2 below.

  1. Microsoft Windows Domain Environment: A descriptive Windows domain account should be created e.g. '[DomainName]\HMPServices'. The following minimum Active Directory user permissions should be granted;

  • Membership of the default 'Domain Users' group,

  • Membership of the HelpMaster users group with 'Read/Write' access granted to the HelpMaster 'Working folder location' (Common Files stored on a network share), or the 'Domain Users' group may be granted this access instead,

  • Explicitly granted 'Local Administrator' rights to the machine running the services (even Domain Administrators don't have ALL of the same access rights to local resources as members of the local machine Administrators group do),

  • 'Log on as a service' rights also MUST be granted either from the Domain Controller GPO as outlined in http://support.microsoft.com/kb/259733/EN-US/, or by setting the account as a service logon account on one of the HelpMaster services from the Windows 'Service Management Console' of the machine hosting the HelpMaster services. This is done by double clicking on each one of the HelpMaster services and then from the 'Log On' tab select 'This account' and enter the account details and 'Apply' the changes.

  • Exchange or other mail server permissions to access the mailboxes being scanned and 'Send As' delegation rights to the Service Logon Account.

  1. Non-Microsoft Network or Workgroup Environment: The Active Directory service cannot be utilised in a non-Windows Domain environment and thus the following only applies to the service logon account for use with the Email Manager, Priority Manager, and Automation services. Create a network or local machine account with the following minimum permissions;

  • Explicitly granted 'Local Administrator' rights to the machine running the services,

  • 'Read/Write' access granted to the HelpMaster 'Working folder location' (Common Files stored locally or on a network share that the created account can access),

  • 'Log on as a service' rights MUST be granted by setting the account as a service logon account on each of the HelpMaster services using the Windows 'Service Management Console' of the machine hosting the HelpMaster services. This is done by double clicking each of the HelpMaster services and then from the 'Log On' tab select 'This account' and enter the account details and 'Apply' the changes.

 

Post Service Account Creation Tasks:

For the services to be able to access the mail system, a Windows user and Outlook profile must be created as follows;

  1. Log into the server / workstation with the newly created Local Administrator service account above,

  2. Run Microsoft Outlook and create a new profile containing all of the Exchange mailboxes and/or other mail system Personal Folders and test that mail can be sent and received successfully to, from, and on behalf of all email accounts, also ensure that "Cached Exchange Mode" is NOT enabled,

  3. Open the Windows 'Service Management Console' and find the HelpMaster services in the list, double mouse click on the Active Directory, Automation, Priority Manager and Email Manager services to set the 'Log on as a service' rights for each one,

  4. From the "Log On" tab, select "This account:" and enter the new service logon account details in the form ".\[AccountName]" for a local machine account, and "[DomainName]\[AccountName]" for a domain account, and it's password, then hit "Apply",

  5. You should get a dialogue box stating that 'Log on as a service' rights have been granted if it hasn't been granted these rights previously via Group Policy,

  6. Now in the HelpMaster Desktop, from the "Automation" tab open the "Service Setup" screen of each and do the following;

  • Set the 'Service Database' connection string using either 'Windows Authentication' for option 1 above, or 'SQL Server Authentication' for option 2 above,

  • Enter the new service account credentials in the same format as step 4 above in the "Domain\User Name" and "Password" fields and click the "Test User" button. You should get ticks for all authentication tests in the list indicating that all permissions requirements for the service to run have been met. If not, please review the above and make sure that all necessary steps above have been completed then try again,

  • Now click the "Open Windows Services Viewer" button, re-enter the selected account details into each service and click "Start".

  • Note: This doesn't mean that the services will actually do anything unless at least 1 profile has been configured and activated for each of the HelpMaster services. If no profiles are configured the service may stop with an event stating that it has nothing to do.

    

Attachments ({{entity.Attachments.length}})