Information about the two groups "CCS Service Accounts" and "ESM" that are created while installing Control Compliance Suite (CCS) 11.0
Previously we could specify install user and a seperate Application Server and Directory Server service accounts. All of which needed to to be local admin. Now with CCS 11.0 this restriction off, so the install user now needs to be local admin and the Application Server and Directory Server service accounts can be a simple domain user. So earlier we would store the user in local admin group. But with CCS 11.0 it create these groups called as 'CCS Service Accounts' and 'ESM'. CCS service accounts basically has all local admin equivalent rights and all the service accounts are added to this group instead of local admin. ESM was always there , but now since we have combined it in CCS 11.0 we see this group
1) Why CCS Service account is member of Performance Monitor Users group?
Members of Performance Monitor Users group can access performance counter data. In CCS logs we add LogCurrentProcessStatistics events with performance counter details(System Load, CPU, Disk, Memory etc) for debugging purpose. To access performance counter details CCS Service account need to be member of Performance Monitor Users group.
2) Why CCS Service account is member of IIS_IUSERS group?
When a group is member of IIS_IUSERS group, it can seamlessly act as an application pool identity.
3) Why administrators group is added to ESM group?
When ESM is installed, ESM directory is owned by a group called ESM and by default Administrator is added to it. If non-admins are required to have access to the files you can add other users and/or groups to the ESM group.