2

I'm trying to create an exchange domain service account. I'd like to define the rights in a Group Policy Object.

since this is for both a 2 node DAG, and 2 node CAS Array, I need to know the rights for services like "Exchange Server RPC Client Access" service, etc.

Does anyone know where I can find these GPO rights?

Duardon
  • 31
  • 1
  • 6
  • Can you clarify what you mean? Are you trying to run said services as a service account, or grant certain permissions to do Exchange-related administration? – Ben Pilbrow Aug 18 '11 at 20:11
  • grant rights to a domain service account I'm going to create that will be used to run those services (if possible) (i.e. 'Log On As A Service', 'Create Token Objects', etc.) – Duardon Aug 18 '11 at 20:21

1 Answers1

3

The Exchange services are installed and run mostly under the NT AUTHORITY\LOCAL SYSTEM and NT AUTHORITY\NETWORK SERVICE accounts and should not be changed. If you do change them, you'll likely be in unsupported territory, and there really is no reason to change the logon account.

Creating a DAG and/or CAS array doesn't require the Exchange services to be running under a different user, all you need is an appropriately privileged user account to create the CAS array and DAG (by default the user account that installed Exchange is granted the Exchange Org Administrator).

Ben Pilbrow
  • 11,995
  • 5
  • 35
  • 57
  • Ok. So what rights is the 'Network Service' account running with? Reason I ask is that client has an altered version of default domain policy, which seems to be missing rights required for exchange rpc client access service. As a result, service "Started then stopped". Changing service to run as domain administrator allows service to start. So If these services need to run as local entities, then I' trying to identify rights needed in Default Domain Policy to allow service to run as 'Network Service'... – Duardon Aug 18 '11 at 20:38
  • Does the event log show anything useful? If the built in accounts are malfunctioning, I'd expect a lot more to break than the RPC Client Access service not starting. Also, if it didn't have correct permissions, I would expect an `Access Denied` error, rather than the service starting and stopping immediately. – Ben Pilbrow Aug 18 '11 at 20:48
  • The server has a GPO applied to it that's built to accomodate the local services required for a single exchange server. So everything appears to be working but services related to advanced features like clustering (in this case the RPC Client Access Service which I beleive is a feature of the CAS Array role). So I'm hoping that by identifying which GPO User Rights need the "Network Service" account added to them on the GPO I can restore priviliges to the required account. – Duardon Aug 19 '11 at 00:39