Description:

This Document was created to ensure user accounts used to log on to BSI services have the sufficient criteria to do so.

Solution:

When you install BSI you are prompted to provide a domain account as part of the installation. This account is used to start some of the services, for the COM+ component, and to grant rights to the MSMQs used to communicate. It is recommended that this account also be the account you log into the box with to perform the install. While not required, if you are not also logged in with the account for the install then it's recommended you follow through the document about changing the user account and verify you have the account properly set with the correct permissions in the three places mentioned above.

We are often asked what rights the account in question needs. There are two parts to this question:

1. Domain rights; if you have a multi-tiered installation, with the app and the web on separate boxes or app components on separate boxes, then the account will need to be a member of the domain. In addition the machines should be a member of the same domain and the MSMQ on the app server should be installed on AD integration (or domain) mode. The account does NOT need to be a domain administrator. It can be a regular domain user but you will need additional rights to install MSMQ in domain mode. These rights are documented by Microsoft in a link provided automatically when you install MSMQ in domain mode. If this is a single tiered install, then it does not need to be a domain account if MSMQ is installed in workstation mode.
   
   
2. Local Administrator rights; whether the account is a domain account as discussed above or a local account only, the account MUST be a member of the local Administrators group. It is assumed the Administrators group contains all the default rights that Microsoft gives this group when it's created. We do not support trying to reduce the rights on the Administrators group (or it would no longer be a local Administrator). Some of the default rights it should have would include:
   'Log on as a batch job.'
   'Log on locally.'
   'Log on as a service'
   These rights can be found under:
   Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment