Customize a Connect:Direct Logon Account

Connect:Direct® for Microsoft Windows is installed under the local System account.

To create a custom service account, assign the account the following user rights:

  • Act as part of the operating system—Allows Connect:Direct to impersonate any user without authentication.
  • Allow log on locally—Allows the account to log on to the computer.
  • Back up files and directories privileges—Allows Connect:Direct to update directories and registry.
  • Log on as service—Allows the Connect:Direct service to run in the context of the specified user instead of running in the context of the local system account.
  • Replace a process level token—Allows Connect:Direct to submit Processes on behalf of logged on users.
  • Be a member of the Local Administrator Group—If you want to allow the node to update its entry in Active Directory (optional), the account must also be a member of the Enterprise Admin group.
  • Full permissions on the Connect:Direct installation directory and its sub directories.
Note: These user rights are stored locally, even if the computer is a member of a domain. As a result, user rights cannot be set on the domain controller and granted to all computers on the domain.
Enabling the option, Allow service to interact with desktop when running Connect:Direct under the local System account, presents a security risk and may allow access to services that interact with the desktop.

After you create the account, you assign it as the account for Connect:Direct. To identify the custom logon account:

  1. Select Start > Settings > Control Panel > Administrative Tools > Services.
  2. Double-click the Connect:Direct server.
  3. Click the Log On tab.
  4. Select This account to identify the custom logon account.
  5. Type the account name to use for logging onto Connect:Direct, or click Browse and double-click the user account.
  6. Type the password in the Password and Confirm password fields.
  7. Click OK.