Customize a Connect:Direct Logon Account
Connect:Direct® for Microsoft Windows is installed under the local System account.
To create a custom service account, assign the account the following user rights:
- Act as part of the operating system—Allows Connect:Direct to impersonate any user without authentication.
- Allow log on locally—Allows the account to log on to the computer.
- Back up files and directories privileges—Allows Connect:Direct to update directories and registry.
- Log on as service—Allows the Connect:Direct service to run in the context of the specified user instead of running in the context of the local system account.
- Replace a process level token—Allows Connect:Direct to submit Processes on behalf of logged on users.
- Be a member of the Local Administrator Group—If you want to allow the node to update its entry in Active Directory (optional), the account must also be a member of the Enterprise Admin group.
- Full permissions on the Connect:Direct installation directory and its sub directories.
Note: These user rights are stored locally, even if the computer is a member of a domain. As a result, user rights cannot be set on the domain controller and granted to all computers on the domain.
Enabling the option, Allow service to interact with desktop when running Connect:Direct under the local System account, presents a security risk and may allow access to services that interact with the desktop.
After you create the account, you assign it as the account for Connect:Direct. To identify the custom logon account:
- Select Start > Settings > Control Panel > Administrative Tools > Services.
- Double-click the Connect:Direct server.
- Click the Log On tab.
- Select This account to identify the custom logon account.
- Type the account name to use for logging onto Connect:Direct, or click Browse and double-click the user account.
- Type the password in the Password and Confirm password fields.
- Click OK.