Verifying account permissions

Applies To: Forefront Client Security

To ensure the Enterprise Manager server can communicate with the down-level Client Security deployments, you must verify that the installation and service accounts used in Enterprise Manager have the appropriate permissions.

Installation account

The user account that you use to log in to install the Enterprise Manager server is known as the installation account. This account must be an administrator on the Client Security server that will be the Enterprise Manager server. Additionally, this account must have the SQL Server EXECUTE permission on:

  • The Enterprise Manager collection database (OnePoint) and reporting database (SystemCenterReporting).

  • The down-level Client Security collection database and reporting database.

To grant SQL Server permissions

  1. On the SQL Server, start SQL Server Management Studio and in Object Explorer, expand Security.

  2. Right-click Logins, and then click New Login.

  3. In the Login - New box, click Search.

  4. In the Select User or Group box, click Locations, select the location to search, and then click OK.

  5. In the Enter the object name to select field, type the user name for the account you are adding to the logins, and then click OK. In the Login - New box, click OK.

  6. In Object Explorer, expand Databases, expand OnePoint, and then expand Security.

  7. Right-click Users, and then click New User.

  8. In the Database User dialog box, click the ellipsis button.

  9. In the Select Login box, under Enter the object names to select, type the name of the login, and then click OK.

  10. In the Database User dialog box, in the User name field, type a name for the database user, and then click OK.

  11. In Object Explorer, right-click OnePoint, and then click Properties.

  12. In the Database Properties page, under Select a page, click Permissions.

  13. Select the user you are assigning permissions to, and under Explicit permissions for username, select the Grant check box for Execute, and then click OK.

  14. Repeat steps 5 through 12 for the SystemCenterReporting database.

The user account used to install the Enterprise Manager down-level component must be an administrator on the Client Security servers. Additionally, this user account requires the SQL Server EXECUTE permission on the reporting database of the Enterprise Manager server.

Service accounts

Before installing the Enterprise Manager components, you must create the user accounts requested in the setup of Client Security. For more information, see Creating installation and service accounts (http://go.microsoft.com/fwlink/?LinkID=86650).

The Enterprise Manager Data Access Server (DAS) account

The Data Access Server (DAS) account on the Enterprise Manager server requires the SQL Server EXECUTE permission on:

  • The Enterprise Manager collection database (OnePoint) and reporting database (SystemCenterReporting).

  • The down-level Client Security collection database and reporting database.

The DAS accounts for the Enterprise Manager down-level servers must be added to the MOM Service group on the Enterprise Manager server in order to enable alert forwarding to the Enterprise Manager server.

Enterprise Manager administrator

The Enterprise Manager administrator must have permissions in all Active Directory® domains that contain down-level Client Security servers and managed computers.

If a single user will serve as the Enterprise Manager administrator, that user must have all the permissions for all user roles outlined in Working with user roles in the Client Security Administration Guide (http://go.microsoft.com/fwlink/?LinkID=86555).

Any separation of roles for the Enterprise Manager administrators must take into consideration the permissions required for those roles in relationship to a multiple domain environment. For example, the ability to create Client Security policies can be granted to a separate user; this user is then a Policy Deployer. The permissions a Policy Deployer needs are detailed in the following table.

Deployment target Permissions required
  • Domains

  • OUs

  • Security groups

Policy Deployers must have permission to create, modify, delete, and link group policy objects (GPOs). For domain and organizational unit (OU) policy deployment, Policy Deployers must have these permissions at the appropriate level; the domain level for domain policies, or the OU level for OU policies. For security group deployment, Policy Deployers must have these permissions at the domain level.

To deploy to remote domains, OUs, and security groups, Policy Deployers must have, in each remote domain, permission to create, modify, delete, and link GPOs; however, you cannot add Policy Deployers in the Enterprise Manager domain to the Group Policy Creator Owners global group in remote domains. Instead, you can:

  • Add Policy Deployers to the Group Policy Creator Owners group in the Enterprise Manager domain.

  • In each remote domain:

    • Create a domain-local group.

    • Use the Group Policy Management console to delegate GPO creation rights to the new domain-local group.

    • Add the Group Policy Creator Owners group from the Enterprise Manager domain to the domain-local group you created in the remote domain.

GPOs

Policy Deployers must have permission to edit the GPOs that distribute the Client Security policies to client computers.

For information about using the other user roles, see Working with user roles in the Client Security Administration Guide (http://go.microsoft.com/fwlink/?LinkID=86555).

The Enterprise Manager administrator must have the SQL Server EXECUTE permission on:

  • The Enterprise Manager collection database (OnePoint) and reporting database (SystemCenterReporting).

  • The down-level Client Security collection database and reporting database.

SQL Server Agent user account

The Enterprise Manager Dashboard is kept up to date with a scheduled job, which runs every five minutes by default. This job is implemented as a SQL Server Agent job and queries the down-level Client Security databases for Dashboard data.

The user account that the SQL Server Agent service runs as must have the SQL Server CONNECT, SELECT and EXECUTE permissions to the down-level Client Security databases.