How to run the Symantec Mail Security for Microsoft Exchange (SMSMSE) service account as LOCAL SYSTEM instead of a Windows domain account on Exchange 2010 Mailbox role or an 2013/2016 Exchange Server


Article ID: 181116


Updated On:


Mail Security for Microsoft Exchange




During installation of SMSMSE on an Exchange 2010 server with the Mailbox role or an Exchange 2013/2016 server, the installer prompts for a Windows service account. The installer configures the Windows service Symantec Mail Security for Microsoft Exchange to run as this service account.  Some organizations do not want to run Windows services as domain accounts for security reasons or because of Windows Domain password reset requirements.

NOTE:  Installing SMSMSE on an Exchange server without the Mailbox role does not require a Windows service account.  The SMSMSE services run as LOCAL SYSTEM.

Use the following steps to configure the SMSMSE service to run as the LOCAL SYSTEM account:

1. Ensure SMSMSE is installed correctly and entering a Windows domain account when prompted by the SMSMSE installer.
2. Give the LOCAL SYSTEM account Exchange Application Impersonation permission to the Exchange Mailbox.

Open the Exchange Management Shell and use the following command:

New-ManagementRoleAssignment –Name “SMSMSE” –Role ApplicationImpersonation –Computer <computername>

The following screenshot shows an example with the computer name WINDOWS2008-0:




3.  Confirm DWORD value "IsUsingLocalSystemAccount" is created in the registry.

a.  Open the registry editor (Start>Run>regedit.exe)
b.  Navigate to:
    SMSMSE 7.9.x or newer:  HKLM\SOFTWARE\Symantec\SMSMSE\<version>\Server
    SMSMSE 7.5.x or earlier: HKLM\SOFTWARE\Wow6432Node\Symantec\SMSMSE\<version>\Server

c.  In the right-pane locate "IsUsingLocalSystemAccount" and confirm the value is 1
d.  If the value does not exist.  Create a new DWORD value "IsUsingLocalSystemAccount" and set value to 1
e.  Close the registry editor.

4. Set the windows service SMSMSE to run as the LOCAL SYSTEM account.

a. Open the services control panel.
b. Right click on the service Symantec Mail Security for Microsoft Exchange and select Properties.
c. Click on the Log on tab.
d. Select the Local System account radio option.
e. Click the OK button.

5. Restart the windows service Symantec Mail Security for Microsoft Exchange.
6. Remove the original Windows service account used from the Exchange Organization Management group.

a. Open the Active Directory Users and Computers MMC (Start|Administrative Tools|Active Directory Users and Computers).
b. Click the tree item Active Directory Users and Computers|<domain name>|Microsoft Exchange Security Groups to display the Exchange security groups (<domain name> is the name of the Active Directory domain).
c. Double click the group Organization Management to display the Organization Management group properties.
d. Click the Members tab to display the users in the group.
e. Click the Windows service account used for the SMSMSE installation and click the Remove button.
f. Click Yes at the confirmation dialog.
g. Click OK to close the Organization Management group properties.

Related Articles

Permissions considerations for the Symantec Mail Security 6.5 for Microsoft Exchange service account

When editing a manual scan in Symantec Mail Security for Microsoft Exchange 6.5 installed on Exchange 2010 mailbox servers, the mailbox and public folder list is not populated.
Error 1609: The service did not start due to a logon failure" When attempting to start the Symantec Mail Security for Exchange 6.5 service
During a manual scan on an Exchange 2010 Mailbox server, the scan stops and no messages are scanned
Content filtering rules with Active Directory user conditions do not apply as configured on Exchange 2010