2.3 Reviewing Required Accounts and Permissions

The AppManager setup program requires access to various user accounts during installation. The following table lists the required accounts.

Account

Requirements

Other Considerations

AppManager installation

  • Windows user account

  • Member of the local Administrators group

None

QDB creation

  • Windows or SQL Server user account

    During installation, if you select Windows authentication, the setup program uses the Windows account under which you are currently logged in to access the SQL Server to create the QDB. If you select SQL Server authentication, the setup program uses the SQL Server user account you specify to access the SQL Server.

  • sysadmin SQL Server role

Before installation, use Microsoft SQL Server Management Studio or SQL Server Enterprise Manager to verify the account or the group to which the account belongs has the sysadmin role.

Before SQL Server 2008, Microsoft provided a BUILTIN\Administrators account to automatically grant the sysadmin role to any Windows account in the local Administrators group. SQL Server 2008 does not include this account by default, and it is possible to manually remove the account in earlier versions of SQL Server.

QDB owner

  • Windows or SQL Server user account

  • Meets password requirements on the SQL Server that will host the QDB

  • Does not already exist in the SQL Server

    If the account already exists, it might create a conflict unless the database administrator sets the login properties for the account to use a fully-qualified account name (domain\username).

  • The account will be assigned the sysadmin SQL Server role.

  • If you use a SQL Server user account, specify the same account for the management server to use to connect to the QDB.

  • If you specify a user name that includes certain special characters, you will not be able to log in to the Operator Console using the QDB owner account. The special characters are: \ / * ? : < > | “

Management server service (NetIQms)

  • Windows local system or Windows user account

  • Windows user account must be a member of the local Administrators group, have the right to log on as a service, and have the right to log in to the SQL Server that hosts the QDB

  • If the service will use the Windows local system account, the management server must use a SQL Server user account to connect to the QDB.

  • If you use Windows Authentication security mode for Microsoft SQL Server, the service must use a Windows user account.

Management server QDB connection

Windows or SQL Server user account

  • If you use a Windows user account, the management server uses the NetIQms account to connect to the QDB.

  • If you use a SQL Server user account as the QDB owner account, specify the same account for the management server to connect to the QDB.

Task Scheduler service

  • Windows local system or Windows user account with the right to log on as a service

  • Windows user account must be a member of the local Administrators group

  • Accounts must have access to the SQL Server instances that host the repositories the service will manage

Specify a Windows user account if the SQL Server that will host the repositories the service will manage uses Windows authentication.

If you want to use the local system account, the repositories must use SQL authentication.

When you add repositories to the service, if you select to use Windows authentication for the service to connect to the repositories, the service will use this account to make the connection.

Agent services (NetIQmc and NetIQccm)

Windows local system or Windows user account with the right to log on as a service

When the agent is on the same computer as the management server, the account requires administrator permissions on the management server.

In the following situations, specify a Windows user account:

  • You will install the agent on the management server.

  • The agent will monitor a SQL Server that uses Windows authentication.

  • You plan to install a module, such as AppManager for Microsoft Exchange Server or AppManager for Microsoft Active Directory, that requires the agent services to run under a Windows user account.

    For information about the permissions and memberships a module requires, see the management guide for the module. If you are unsure whether a module requires a Windows user account for the agent services, NetIQ Corporation recommends installing the agent using the Windows local system account. If necessary, you can use the Services application in Control Panel to change the account after installation. If you change the account, change it for both agent services.

  • You plan to enable the agent to generate reports.

    For more information about the agent reporting capability, see Section 8.1.3, Understanding Agent Reporting Capabilities.

  • You plan to enable the MAPI mail option.

    For more information about the MAPI mail option, see Section 8.1.5, Understanding MAPI Mail Settings.

CCDB creation

  • Windows or SQL Server user account

    During installation, if you select Windows authentication, the setup program uses the Windows account under which you are currently logged in to access the SQL Server to create the CCDB. If you select SQL Server authentication, the setup program uses the SQL Server user account you specify to access the SQL Server.

  • sysadmin SQL Server role

Before installation, use Microsoft SQL Server Management Studio or SQL Server Enterprise Manager to verify the account or the group to which the account belongs has the sysadmin role.

Before SQL Server 2008, Microsoft provided a BUILTIN\Administrators account to automatically grant the sysadmin role to any Windows account in the local Administrators group. SQL Server 2008 does not include this account by default, and it is possible to manually remove the account in earlier versions of SQL Server.

CCDB owner

  • Windows or SQL Server user account

  • Meets password requirements on the SQL Server that will host the QDB

  • Does not already exist in the SQL Server

    If the account already exists, it might create a conflict unless the database administrator sets the login properties for the account to use a fully-qualified account name (domain\username).

The account will be assigned the sysadmin SQL Server role.

Command queue service

  • Windows user account

  • Member of the local Administrators group

    An account with Domain Administrator privileges is not sufficient unless it is also a direct member of the local Administrators group.

  • Has the right to log on as a service

  • Has the right to log in to the SQL Server that hosts the CCDB

  • The account will be granted permissions in each managed QDB.

  • The command queue service, Deployment Service, and Deployment Web Service can use the same account.

  • The command queue service will run under this account and use it to connect to the CCDB.

  • When you install the service, the account under which you run the installation program must have administrative privileges on the SQL Server that hosts the CCDB. Otherwise, the installation program will not be able to establish a connection with the CCDB and the installation will fail.

Deployment Service

  • Windows user account

  • Member of the local Administrators group

    An account with Domain Administrator privileges is not sufficient unless it is also a direct member of the local Administrators group.

  • Has the right to log on as a service

  • Has the right to log in to the SQL Server that hosts the CCDB

  • The account will be granted appropriate permissions in each managed QDB.

  • If a firewall is present between the Deployment Service and the CCDB, the Deployment Service uses the Deployment Web Service account. For more information about how the Deployment Service connects to the CCDB, see Section 7.1.4, Understanding Deployment Server Configuration.

  • The command queue service, Deployment Service, and Deployment Web Service can use the same account.

  • The Deployment Service will use this account only to connect to the CCDB. It will not run under this account. The service will run under the local system account.

  • When you install the service, the account under which you run the installation program must have administrative privileges on the SQL Server that hosts the CCDB. Otherwise, the installation program will not be able to establish a connection with the CCDB and the installation will fail.

Deployment Web Service

  • Windows user account

  • Member of the local Administrators group

    An account with Domain Administrator privileges is not sufficient unless it is also a direct member of the local Administrators group.

  • Has the right to log on as a service

  • Has the right to log in to the SQL Server that hosts the CCDB

  • The command queue service, Deployment Service, and Deployment Web Service can use the same account.

  • The Deployment Web Service will use this account only to connect to the CCDB. It will not run under this account.

  • When you install the service, the account under which you run the installation program must have administrative privileges on the SQL Server that hosts the CCDB. Otherwise, the installation program will not be able to establish a connection with the CCDB and the installation will fail.