Often, there is a requirement to run the Data Loss Prevention services as a non-local user, such as a Domain account.  Finding the minimum permissions required for security purposes is of utmost priority.  In this article, steps to create a successful Active Directory Service account will be shared.

Release : DLP 15.8+

Security posture may specify that software services should run as a non-local Domain account.

Data Loss Prevention services function by calling a Java Wrapper, which launches the appropriate processes to run Data Loss Prevention and it's associated supporting infrastructure.  As such, the requirements for the Service Account are low.

1. Chosen Active Directory service account must possess Log in as a Service - Constant: SeServiceLogonRight. 

2. The given Active Directory service account must possess permission to access all product file system structure, both for Linux and for Windows.