Granting domain privileges with a service account

By default, the EDM Server service runs under the SYSTEM account of the computer. This works well unless Meridian will be integrated with SQL Server or Oracle hosted on other computers, or if Meridian Web Access or stream files will be located on other computers. In any of these configurations, the EDM Server service must have access to those computers, which the SYSTEM account does not. Instead, the EDM Server service must run under a different account that does have access to those computers. We recommend that you change the EDM Server service to use a domain account with sufficient permissions to access those computers depending on the required resources. For example, to access stream files (document content) stored on a separate file server, the EDM Server service account will need Read and Write permissions to the stream folders on the file server. In addition to the particular resource requirements of the server type being accessed, the EDM Server service account needs the Log on as a service security policy for the domain.

This solution involves creating a dedicated account for the Meridian services to run under and granting that account the domain privileges needed. This solution is preferred by domain administrators when the privileges should be as restricted as possible:

1. In Active Directory, create a new user named BC Meridian Server Service (or similar). The account should be a domain user or domain administrator and a local administrator of the Meridian application server. This account should be added to the following policies on the Meridian application server:

• Log on as a batch job
• Act as part of the operating system
  
• Log on as a service
• Access this computer from the network

This account needs to have full control over the \BC-Meridian Vaults folder and the registry branch HKEY_LOCAL_MACHINE\Software\Cyco on the Meridian application server.

Note    In an Active Directory environment, changing the account under which the AutoManager EDM Server service runs will also require you to add the account to the Pre-Windows 2000 Compatible Access group of the domain, unless the new account is also a domain administrator account. If the account is not a domain administrator and the account is not added to the Pre-Windows 2000 Compatible Access group, strange security behavior will occur in the vault because the new account will not be granted access to query domain user accounts and group membership.

2. In Active Directory, add the account to the built-in Pre-Windows 2000 Compatible Access group. For more information, see the Microsoft Support article at: http://support.microsoft.com/default.aspx?scid=kb;en-us;325363.

Note    If Meridian users reside in multiple domains in an Active Directory forest, you must do this for every domain in which the users reside.

3. In Computer Management on the Meridian application server, edit the properties of the AutoManager EDM Server service and set the logon credentials to the name and password created in step 1.
4. Restart the Meridian application server.