Summary

By default the adTempus service is configured to run under the Local System account. This article describes how to change the service to run under a user account.

More Information

When you install adTempus, the adTempus service will be configured to run under the Local System account. This is the preferred setting, and should be appropriate for most users. Unless you have a specific reason for doing so, you should leave the configuration as is.

This setting affects only the adTempus service itself, and does not determine what account your jobs run under. Each job has its own credential settings to determine what user account the job will run under.

Some users may find it necessary to run the service under a user account instead. The most common reason is if you want to be able to use integrated Windows security with a remote SQL Server instance.

If you change the service to run under a user account, you must observe the following requirements:

  • The account you use must be a member of the Administrators group on the computer.
  • The account must have the following rights:
    • Log on as a service
    • Act as part of the operating system
    • Create a token object
    • Replace a process level token
  • If you are connecting to a remote SQL Server database, the account must have db_owner rights for the adTempus database on the database server.

See the Checking or Changing Account Rights section below for information on how to configure the rights for an account.

Checking or Changing the adTempus Service Account

To verify or change the user account for the adTempus service,

  1. Open the Windows Control Panel and launch the Services tool.
  2. Locate the "adTempus" service and display its properties.
  3. Click the "Log On" tab.
  4. Under "Log on as", the "Local System account" option should be selected unless you need to use a user account for one of the reasons discussed above. If so, select "This account" and enter the account information. Be sure the account is configured with the necessary permissions as discussed elsewhere in this article.

Checking or Changing Account Rights

To verify or grant the account rights, you must edit the Local Security Policy. If your computer is a member of a domain, or is a domain controller, you may also need to grant these rights in the domain or domain controller security policies.

To change the Local Security Policy:

  1. Select Run from the Windows Start menu.
  2. In the Run window, enter the following (without the quotes): "gpedit.msc".
  3. The Group Policy Object Editor will start.
  4. Navigate to the following folder: Local Computer Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.
  5. Double-click the "Act as part of the operating system" policy.
  6. Add the the user account that adTempus is running under to this policy, then click OK to save it.
  7. Repeate steps 5 and 6 for the "Create a token object", "Log on as a service", and "Replace a process level token" policies.
  8. Close the Group Policy Editor
  9. Restart the adTempus service.

Side Effects

If you have jobs that are scheduled to run under the Local System account (see article K00000036), those jobs will no longer run under the Local System account. Instead, they will run under the account you are using for the adTempus service.

See Also

The following problems may occur if the user account is not configured properly:

  • All programs fail to run with error "A required privilege is not held by the client" when adTempus service set to run under user account (K00000213)
  • Error when connecting to the adTempus server: "A required privilege is not held by the client" (K00000214)