What are the required User Right Assignments for the CCS Service Accounts group in Control Compliance Suite 11.0 ?
The CCS Service Account group should have the following Users Rights Assignments:
- Logon as a service
- Replace a process level token
- Impersonate a client after authentication
In previous versions of the product, we required that the service account for the Application Server and Directory Support Server both (if unique) be members of the Local Administrators Group which by default gives the accounts many user rights some of which are inherited and not even listed in Local Security Manager. Now with 11.0 we no longer require that the users be in the local administrators group but to be sure that each user has the minimum privileges required we created a new group "CCS Service Accounts" which we grant the rights to during creation and assign the service accounts as members. Hence this account is a part of the aforesaid User Rights Assignments.
The current configuration provides the minimum rights required. The privileges are needed but are far less than previously required when the service accounts needed to be local administrators.