Granting domain privileges with a service account

By default, the EDM Server service runs under the SYSTEM account of the computer. This works well in simple environments.

But it does not work in more complex environments such as:

• Meridian user accounts synchronized with Active Directory
• Meridian integrated with SQL Server or Oracle hosted on other computers
• Meridian Web Access or stream files located on other computers
• Meridian integrated with Publisher or Meridian Explorer

In environments like these, the EDM Server service must have access to those computers, which the SYSTEM account does not. Instead, the EDM Server service must run under a different account that does have access to those computers. We recommend that you configure the EDM Server service to use a domain account with sufficient permissions to access those computers depending on the required resources. For example, to access stream files (document content) stored on a separate file server, the EDM Server service account will need Read and Write permissions to the stream folders on the file server. In addition to the particular resource requirements of the server type being accessed, the EDM Server service account needs the Log on as a service security policy for the domain.

This solution involves creating a dedicated account for the Meridian services to run under and granting that account the domain privileges needed. This solution is preferred by domain administrators when the privileges should be as restricted as possible.

To create the service account:

1. In Active Directory, create a new user named BC Meridian Server Service (or similar). The account should be a domain user or domain administrator and a local administrator of the Meridian application server. This account should be added to the following policies on the Meridian application server:

• Log on as a batch job
• Act as part of the operating system
  
• Log on as a service
• Access this computer from the network

This account needs to have full control over the \BC-Meridian Vaults folder and the registry branch HKEY_LOCAL_MACHINE\Software\Cyco on the Meridian application server.

Notes

• In an Active Directory environment, changing the account under which the AutoManager EDM Server service runs will also require you to add the account to the Pre-Windows 2000 Compatible Access group of the domain, unless the new account is also a domain administrator account. If the account is not a domain administrator and the account is not added to the Pre-Windows 2000 Compatible Access group, strange security behavior will occur in the vault because the new account will not be granted access to query domain user accounts and group membership.
• NEW  By default, this account is set as the rescue account as described in Creating a rescue account for security administration.

2. In Active Directory, add the account to the built-in Pre-Windows 2000 Compatible Access group. For more information, see the Microsoft Support article at: How To Add Users to the Pre-Windows 2000 Compatible Access Group in Windows Server 2003.

Note    If Meridian users reside in multiple domains in an Active Directory forest, you must do this for every domain in which the users reside.

3. In Active Directory, verify that the account is a member of the Distributed COM Users group or of a group that is a member.

4. Enter this account name when prompted during Meridian Enterprise server installation as described in Installing the server components.

   Or if the Meridian Enterprise server components are already installed:

   In Computer Management on the Meridian application server, edit the properties of the AutoManager EDM Server service and set the logon credentials to the name and password created in step 1.

5. Restart the Meridian application server.

We recommend that you specify this same account for all of the uses in your environment that are listed in Service account usage.