In my experience the ARS Server service has to run as a local admin account, and also as an account with access to the SQL Server database. What we have used for many years is a Domain User account (not a Domain Admin or other role) that has been granted local admin rights on the AR Server, AND is the dbo in SQL Server for the ARSystem database. Flashboards has always run fine as Local System. I do give this Domain Account (it is not a local Windows account) full rights to the BMC Software directory structures where the applications are installed (before installation). Again, the service itself runs under that Domain User account - ARS 7.x installers usually get this correct if the account has been set up properly on the SQL Server first.
The email engine is another matter. If you are using MAPI and have Outlook installed on the AR Server, the Domain User for the MAPI mailbox has to be a local admin as well, and have the rights to log on locally and run Outlook against the mailbox that AREmail is using; the Email Engine service itself must run under that Domain User account. This works fine in Windows Server 2003, but I never got it working to my satisfaction in Windows Server 2008; the mail engine would not log in and send mail unless you had a current logged-in session under the mailbox user account open, and started the mail service from there. Log out, and it stopped working. It was one of the main reasons we switch from MAPI (for ARS 7.1) to SMTP/POP (for ARS 7.6.04). When using SMTP/POP, the BMC Remedy Email Engine installs and runs just fine under the Local System account. If you decide to run it under the Domain User of the Pop mailbox, then that user would have to be at least a local Power User to run the service, with full access to the Email Engine application directory. It only needs to be in the local admin group for MAPI connections. We do the same with the mid-tier; the Tomcat instance runs under a dedicated Domain User that is in the local Power User group, with full rights to the Apache file directory structure. We make those changes after installing Tomcat (which installs under Local System), before installing the mid-tier. BTW, the AR System runs in a dedicated AD forest, so it is an additional dependency for the services to be able to authenticate to AD in order to start, but it adds a layer of security over local user accounts. Christopher Strauss, Ph.D. Call Tracking Administration Manager University of North Texas Computing & IT Center http://itsm.unt.edu/ -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Reiser, John J Sent: Wednesday, June 27, 2012 9:41 AM To: arslist@ARSLIST.ORG Subject: Running the ARsystem service as a plain windows user account Hello Listers, ARS 7.6.04 MS SQl 2005 MS Windows 2003 on a VM I've looked through the installation docs to find out if the AR System service, email Service and Flashboards service need to be run as a local admin on a windows server. First we ran it as a local service and the security folks didn't like that. We changed to a local admin service account and now they don't like that either. I tried looking in the docs and the BMC Knowledge base and the only reference to a "root" account was for installing on Unix/Linux type servers. I just need to know if it must be run as a local admin and the reason for it to satisfy the Information System Security people. If it run as a regular windows user are there any files system permission changes needed on the server? Couldn't find anything referencing this. Thank you, --- John J. Reiser Remedy Developer/Administrator Senior Software Development Analyst Lockheed Martin - MS2 The star that burns twice as bright burns half as long. Pay close attention and be illuminated by its brilliance. - paraphrased by me _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
