Permissions considerations

Applies To: Forefront Client Security

Client Security uses user accounts to both run the services needed by Client Security and allow access to data within the Client Security databases. This topic provides information and links to information about these types of accounts.

Service accounts

Service accounts are the user accounts that Windows services use to authenticate to the local computer or to Active Directory. These accounts are used to allow the services access to resources (such as network access or files) on the local computer or on computers that are members of an Active Directory domain.

For example, when installing Client Security, Setup requests user accounts for the various components of the Client Security deployment. These user accounts are used by the various components of Client Security to access the managed computers, access the Client Security databases, and run the various services.

For detailed information about the service accounts required for Client Security, see Creating installation and service accounts in the Client Security Deployment Guide (

For more information about service account planning, see the Services and Service Accounts Security Planning Guide (

User roles

Many organizations divide administrative tasks between administrative users. This method of administration relies on categorizing these tasks, and the permissions and rights needed to perform these tasks, into user roles.

In a Client Security deployment, there may be a need to separate the ability to view reports from all other administrative tasks. Also, it may be necessary to allow only Group Policy administrators in the domain to have the ability to manage Client Security policy.

For information about Client Security user roles, see Working with user roles in the Client Security Administrator's Guide (