• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Change Exchange Server 2003 Services Account

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> General >> Change Exchange Server 2003 Services Account Page: [1]
Login
Message << Older Topic   Newer Topic >>
Change Exchange Server 2003 Services Account - 22.Oct.2007 3:38:52 PM   
zubero

 

Posts: 6
Joined: 15.Oct.2007
Status: offline
Hello:

I'm trying to change the logon account of the various Exchange services (System Attendant, Information Store, etc.) from the local machine to a domain user account with Enterpirse Admins, Domain Admins and Schema Admins, group rights.

However once, I restart these services with the new account instead of the local account, it no longer works.

I am using a MSPress Book ("Implementing and Managing Microsoft Exchange Server 2003") as a guideline, where it explains how to do it. After researching for a while, I also found this http://support.microsoft.com/default.aspx?scid=kb;en-us;239762&Product=exch2003.
So, which is the right document?

Has anyone ever been able to start Exchange services under a different accout other then the local account?


Thanks in advance.
Post #: 1
RE: Change Exchange Server 2003 Services Account - 22.Oct.2007 3:43:47 PM   
a.grogan

 

Posts: 1917
Joined: 12.Apr.2005
From: London
Status: offline
Hiya Zub, I hope you don't mind me asking -
Why do you wish to use a domain based account? - this is not recommended and is slightly less secure than the default method (LOCALSYSTEM).

Cheers

A

_____________________________

Andy Grogan
MSExchange.org Forums Moderator
For my general ramblings about Exchange please visit my website:
W: http://www.telnetport25.com/
B: http://telnetport25.wordpress.com/
M: manifoldmaster@gmail.com

(in reply to zubero)
Post #: 2
RE: Change Exchange Server 2003 Services Account - 22.Oct.2007 4:02:49 PM   
zubero

 

Posts: 6
Joined: 15.Oct.2007
Status: offline
There are different reasons:
1. I think it could be a good way to differ an Exchange service in a log auditing task from another service. I thought that using a domain account like a service account could be a way to do it easier.
2. It is an exercise of that book and I am interested on learn how to do it. How do you create a service account without logon capabilities?
3. Local system account has more privileges and maybe all those permissions are not necessary for the right functioning of Exchange Server.

Thanks.

(in reply to a.grogan)
Post #: 3
RE: Change Exchange Server 2003 Services Account - 22.Oct.2007 4:18:21 PM   
a.grogan

 

Posts: 1917
Joined: 12.Apr.2005
From: London
Status: offline
Hiya, ok a couple of things;

quote:

1. I think it could be a good way to differ an Exchange service in a log auditing task from another service. I thought that using a domain account like a service account could be a way to do it easier.


I am not sure what you would gain from Security Auditing on the Exchange Account - you would find a huge amount of object access and privilege use which would be normal operation, it would be hard to distinguish normal use to dodgy use.

quote:

2. It is an exercise of that book and I am interested on learn how to do it. How do you create a service account without login capabilities?


Fair enough, I think that it is good to try things - however I wouldn't try this in Production - would be better to do it in Test . - Also the account used would automatically be granted "log on as a service right" at the very least, and the account would have to have local admin privileges - which grants login.

quote:

3. Local system account has more privileges and maybe all those permissions are not necessary for the right functioning of Exchange Server.


Thats true that the system account does indeed have a number of privileges - but they are there for a reason.

However, in terms of what you are trying to achieve - have you:

Ensured that the domain account has FULL CONTROL over the Exchange organisation (this would be granted via the ESM at the top level).

Added the account to the Local Admins group on the Exchange server
Granted it "log on as a service rights".

Cheers

A

< Message edited by a.grogan -- 22.Oct.2007 4:21:15 PM >


_____________________________

Andy Grogan
MSExchange.org Forums Moderator
For my general ramblings about Exchange please visit my website:
W: http://www.telnetport25.com/
B: http://telnetport25.wordpress.com/
M: manifoldmaster@gmail.com

(in reply to zubero)
Post #: 4
RE: Change Exchange Server 2003 Services Account - 15.Nov.2007 7:11:06 PM   
zubero

 

Posts: 6
Joined: 15.Oct.2007
Status: offline
Hello, A. Grogan:

Thanks for your answer and I'm sorry for the delay on my answer.

Related to the three points:
1. I believed this could be a good way to indentify Exchange actions related from those actions related to W2K3 or other application.

2. In fact, I want to try it in a training environment, not in a production scenario. I didn't understand what is necessary to configure an account just for been used as a service and deny login capability.

3. I checked all the three items you told me and it cannot initialize Exchange services with an account other than the local account.


Thanks for your help.

Carlos.

(in reply to a.grogan)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> General >> Change Exchange Server 2003 Services Account Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter