question

johnwilliams-4177 avatar image
0 Votes"
johnwilliams-4177 asked JamesTran-MSFT commented

Failed to log on as user Install-AIPScanner

How can you run this cmdlet Install-AIPScanner without the logon locally permission being given to the service account? Some environments do not allow for this permission to be given out and other steps in the installation process account for this but the -onbehalfof parament does not work for this cmdlet.

azure-information-protection
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@johnwilliams-4177
Thank you for your post! Would you be able to share the documentation that you're following or any screenshots, so I can gain a better understanding of your issue?

I did find our Install-AIPScanner PS documentation, but I didn't see any mention of the "logon locally permission" being required for a service account, only the need to run this with "local administrator rights for the Windows Server computer, and Sysadmin rights on the instance of SQL Server that you will use for the scanner."


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

1 Answer

johnwilliams-4177 avatar image
1 Vote"
johnwilliams-4177 answered JamesTran-MSFT commented

I worked around this issue by obtaining the logon locally right via the client. However, I have found this requirement listed at numerous sites which have been listed below:
https://techcommunity.microsoft.com/t5/security-compliance-identity/installation-configuration-and-usage-of-the-aip-scanner/ba-p/221792

Direct from Microsoft

https://docs.microsoft.com/en-us/azure/information-protection/deploy-aip-scanner-prereqs

Requirement Details
Log on locally user right assignment Required to install and configure the scanner, but not required to run scans.

Once you've confirmed that the scanner can discover, classify, and protect files, you can remove this right from the service account.

If granting this right even for a short period of time is not possible because of your organization policies, see Deploying the scanner with alternative configurations.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@johnwilliams-4177
I'm glad that you are able to work around the issue, and thank you for posting your work a round so others facing the same issue can easily find the answer.


Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·