During installation on an Exchange server with the Exchange 2010, 2013, 2016 or 2019 Mailbox role, Symantec Mail Security for Microsoft Exchange (SMSMSE) prompts for a Windows service account.  The Windows service Symantec Mail Security for Microsoft Exchange is configured to run with this Windows account. What are the requirements for this user account?

In order to access some scanning features on an Exchange 2010, 2013, 2016 or 2019 mailbox server, SMSMSE must have a service account with appropriate rights.

When installed to a Hub or Edge role, the SMSMSE service runs under Local System, and requires no special rights.

When SMSMSE is installed on an Exchange 2010, 2013, 2016 or 2019 Mailbox Server a domain account is used as the service account running the Symantec Mail Security for Microsoft Exchange service.

NOTE:  It is possible to configure the service with a LOCAL SYSTEM account instead of a domain account.  See the following article for details: How to run the Symantec Mail Security for Microsoft Exchange (SMSMSE) service account as LOCAL SYSTEM instead of a Windows domain account on Exchange 2010 Mailbox role.

The domain user account requires the following rights for proper operation:

• Member of the Active Directory Exchange Organization Management security group.
• Member of the Administrators group on the computer where SMSMSE is installed.
• Have Log on as a service right on the computer where SMSMSE is installed. This right should be assigned by the SMSMSE installer.
• Have the Application Impersonation right. This right should also be assigned by the SMSMSE installer.
• Member of the Active directory SMSMSE Admins security group.  

Technical Information

The SMSMSE Utility service runs under the Local System account.

Applies To

• Exchange 2010, 2013, 2016 or 2019 with the Mailbox role