Service Accounts being crawled

Similar Messages

• Service account being used in Availability Address Space

  We are A.com and have availabilityaddressspace created with a partner company B.com. Both A.com and B.com use Exch 2007.
  F/B sharing works great. No issues at all, has been working for many years.
  I am trying to find out the service account which we used while configuring the availability address space.
  Get-availabilityaddresspace | fl reveals that serviceaccount is beign used but it does not talk about the service account being used. I checked properties of availabilityaddress space in ADSIEDIT and nothing reveals about the service account being used.
  There is an account revalidation happening and i need to find out which service account is being used to mke sure its not deleted in both the companies.. any help on this will be appreciated.
  Thanks,
  Sivaram

  Hi,
  I recommend you refer to the following articles:
  http://technet.microsoft.com/en-us/library/bb629601(v=exchg.80).aspx
  Use the Get-AvailabilityConfig cmdlet to retrieve the accounts that are trusted in cross-forest exchange of free/busy information.
  The Get-AvailabilityConfig cmdlet lists the accounts that have permissions to issue proxy availability service requests on an organizational or per-user basis.
  http://technet.microsoft.com/en-us/library/bb125182(v=exchg.141).aspx
  Use the Shell to configure trusted cross-forest availability with a service account
  Hope this helps!
  Thanks.
  Niko Cheng
  TechNet Community Support

• How to know which service accounts I am using inside my SharePoint server

  We were asked to send a list of all the services accounts that are being used inside our SharePoint server, as the system administrators need to apply a new password policy. So to check which accounts I am currently using, I went to these locations:-
  From the “IIS Manager” >> Application pool. I checked the identity column for all the domain users.
  From >SharePoint CA >> Security >> Configure managed accounts.
  So my question is basically if there could be any service accounts inside my SharePoint server, that are not in the above two locations ?
  Thanks

  Yes. SharePoint will add all service accounts it uses to the Managed Account list.
  This will include accounts like the SharePoint Crawl Account which will not be used to run an Application Pool itself but will need to be part of your password change policy.
  this means that in our case we have two accounts inside the "CA>>Security>>Managed Accounts" , and these are the ones used all over the sharepoint server ? is this correct ?

• Accounts being created with administrative group rights

  Hello,
  The server is a Windows 2003 R2 Enterprise fully patched used for Shared Hosting purposes.  It runs Hsphere control panel.  I am trying to identify how the following hack is happening. 
  1) There are users being created with Administrative group rights.   Below is the EventViewer log for the user creation:
  User Account Created:
       New Account Name:    username
       New Domain:    PCNAME
       New Account ID:    PCNAME\username
       Caller User Name:    PCNAME$
       Caller Domain:    DOMAINNAME
       Caller Logon ID:    (0x0,0x3E7)
       Privileges        -
   Attributes:
       Sam Account Name:    username
       Display Name:    <value not set>
       User Principal Name:    -
       Home Directory:    <value not set>
       Home Drive:    <value not set>
       Script Path:    <value not set>
       Profile Path:    <value not set>
       User Workstations:    <value not set>
       Password Last Set:    <never>
       Account Expires:    <never>
       Primary Group ID:    513
       AllowedToDelegateTo:    -
       Old UAC Value:    0x2DAB2B0
       New UAC Value:    0x2DAB2B0
       User Account Control:    -
       User Parameters:    <value not set>
       Sid History:    -
       Logon Hours:    <value changed, but not displayed>
  There exists entries as well where the primary group ID is changed to the Administrative group, but I am omitting such.
  2) I tried to identify what Caller Logon ID:    (0x0,0x3E7) means.  I found out from here:
   http://blog.joeware.net/2013/01/14/2667/ that I can use LogonSessions.exe to identify it.
  Output from LogonSessions.exe is pasted below (snippet):
  [0] Logon session 00000000:000003e7:
      User name:    DOMAINNAME\PCNAME$
      Auth package: NTLM
      Logon type:   (none)
      Session:      0
      Sid:          S-1-5-18
      Logon time:   9/11/2014 12:41:53 PM
      Logon server:
      DNS Domain:   
      UPN:          
          4: System
        316: smss.exe
        364: csrss.exe
        392: winlogon.exe
        440: services.exe
        452: lsass.exe
        628: svchost.exe
        756: LMAgent.exe
        840: svchost.exe
       1000: spoolsv.exe
       1252: avagent.exe
       1268: camWMIAgent.exe
       1324: cissesrv.exe
       1380: cpqrcmc.exe
       1404: vcagent.exe
       1440: svchost.exe
       1480: HsQuotas.exe
       1740: inetinfo.exe
       1780: EmailAgent.exe
       1856: snmp.exe
       1884: sysdown.exe
       1920: smhstart.exe
       2192: svchost.exe
       2388: cmd.exe
       2396: hpsmhd.exe
       2444: cqmgserv.exe
       2464: cqmgstor.exe
       2484: HSphere.exe
       2596: wmiprvse.exe
       2676: cmd.exe
       2684: rotatelogs.exe
       2692: cmd.exe
       2700: rotatelogs.exe
       2732: searchindexer.exe
       2812: hpsmhd.exe
       2824: cqmghost.exe
       2852: svchost.exe
       3044: cmd.exe
       3052: rotatelogs.exe
       3080: cmd.exe
       3088: rotatelogs.exe
       5452: svchost.exe
       5596: GravitixService.exe
       7392: csrss.exe
       7232: winlogon.exe
       6888: csrss.exe
       9832: winlogon.exe
      10388: wawrapper.exe
      10352: cpqnimgt.exe
       9496: msiexec.exe
       6068: w3wp.exe
       4748: webalizer.exe
  3) I also learned from http://support.microsoft.com/kb/243330/en-us that   Sid:          S-1-5-18 means:
  SID: S-1-5-18
  Name: Local System
  Description: A service account that is used by the operating system
  That is all great info, but I am not sure I can put together what I have learned to attempt and get closer towards identifying how in the world users are being created and then being assigned administrative group rights.
  I am a Linux person mostly, but I am comfortable following a properly explained thread regarding windows 2003 R2 Enterprise issues.
  The server is fully patched and it is running Lumension security product.  What's more, Norman Malware tracker, tdskiller.exe (Kaspersky) and McAfee rootkitremover.exe have been run without any apparent Malware/Virus infection
  Hope someone with advanced admin skills can advise.
  Thank you

  Hi,
  You mentioned that, “I am trying to identify how the following hack is happening”, would you please tell us that why did you think the event represent a hacking behavior?
  In a Shared Server Hosting environment, the underlying hosting control panel tool (Hsphere in this case) should be creating only virtual FTP users with a specific group.  So no users with Administrative group should be ever created.  If this happens,
  it constitutes a breach of server security=positive hacking attempt.
  >how in the world users are being created and then being assigned administrative group rights.
  In addition, would you please be more specific about this question? Did you find the event message on a domain joined machine?
  I want to be able to understand in full how/what process is allowing users to be created with Admin rights.  In other words, I want to know what IP was used to issue the command, if ASP.net was used (abused in this case), or anything else related to
  it so that we can patch this particular hole.
  Best Regards,
  Amy

• Domain administrator service accounts limit access to a particular server/s

  We need to adjust these to adjust our service accounts and would like them to be restricted to a particular server and restrict their logon or access.  Any
  suggestions on how to manage this through Active Directory at an enterprise level? We want to lock down the accounts to specific servers but we can't use local admins for these particular group of accounts.
  For the time being I was thinking about using AD to "logon on to" and enter the server names to limit the access but I was didn't know if there was any
  better approach to the solution. Any suggestion or any other ways to configure? Caveats?

  > For the time being I was thinking about using AD to "logon on to" and
  > enter the server names to limit the access but I was didn't know if
  > there was any better approach to the solution. Any suggestion or any
  > other ways to configure? Caveats?
  Funny I wrote a post on user privilege assignment some days ago :)
  Unfortunately, it is available in german only, but maybe google/bing can
  translate good enough to make sense:
  http://evilgpo.blogspot.de/2015/04/wer-bin-ich-und-was-darf-ich.html
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Service Account Management through Request Templates

  Hi,
  I am trying to implement Service Account lifecycle use cases (Create, Modify, Delete) on 2 resources(AD User, iPlanet User) through Request templates. In this case OOTB tasks - Service Account Alert, Service Account Changed, Service Account Moved with resource specific Process definitions are not get triggered as I am initiating process through Request Templates.
  I want to trigger post process EventHandler upon triggering any of these events. so, I created metadata xml file as the following and imported it into MDS.
  -----------------EventHandler Metadata file------------------------
  <?xml version='1.0' encoding='utf-8'?>
  <eventhandlers>
  <action-handler class="com.wipro.sdf.iam.oim.plugin.ServiceAccountCreationEventHandler" entity-type="Resource" operation="PROVISION" name="ServiceAccountCreateEventHandler" stage="postprocess" order="1021" sync="TRUE"/>
  </eventhandlers>
  ----------------------------XXX----------------------------------------------
  When I trigger create event of SA on any of the resources, the EventHandler is being invoked and from execute() method, Orchestration is giving the following data
  {UD_IPNT_USR_LAST_NAME=TestTwo, BENEFICIARYKEY=798, UD_IPNT_USR_COMMON_NAME=SA Test Two, *ResourceKey*=12, serviceaccount=true, UD_IPNT_USR_SA_ADMIN=USER16TE, UD_IPNT_USR_USERID=SATEST2, UD_IPNT_USR_FIRST_NAME=SAccount}
  My EventHandler has to do some actions on target resource(AD / iPlanet),so I would like to get resource connection details like IP, port , admin login details etc.
  To fetch those details, I am using ResourceKey that is coming from Orchestration.
  When I use the following code to find Resource details based on Key, its throwing resource not found exception.
  -----------------------Code from execute() of EventHandler----------------------
  String resKey = getParamaterValue(parameters, "ResourceKey");
  tcITResourceInstanceOperationsIntf resInsObj = Platform.getService(tcITResourceInstanceOperationsIntf.class);
  //Get Resource Details based on Resource Key
  HashMap searchMap= new HashMap();
  searchMap.put(Constants.IT_RESOURCE_KEY, resKey);
  logger.debug(methodName+" - IT Resouece Search Map is : "+searchMap);
  tcResultSet resultSet = resInsObj.findITResourceInstances(searchMap);
  -------------------------------End of code ------------------------------------------------
  I tried finding for the table which stores all IT Resource connection details. But no luck.
  Now my questions are:
  1. Which table stores all IT Resource Information that can be seen from Design Console -> Resource Management -> IT Resource Type Definition - > Resource?
  2. Which table stores Resource Key and Name details?
  3. When we do query for records from any form in Design Console, where exactly would logs get recorded? (as it queries DB to fetch information there should some file like DB Tracer Log etc)
  Could somebody please answer these questions and give some hint to implement SA management through Req Templates?
  Thank you in advance,
  Mounika

  Hi kevin,
  thanks for reply.
  i am thinking that, Even though OIM11G is developed in ADF,some parts of the code is in struts only,like xlWebApp.war .
  i have seen source code of xlWebApp.war folder that is there in OIM11g.
  it seems to be developed in struts only.
  is there any ADF interaction in that?
  i have written helloworld program in struts,that is working fine.
  i have done that,for ADUser resource popup i added button "serviceaccount for this resource".when i click that one jsp page will come.
  so i am thinking that,some other reason is there for not working.
  can u please tell me the reason?

• Service accounts rights in Sql Server 2008 clustered installation.

  I have to install  Sqlserver 2008 in a 2 node clustered environment in
  Windows Server 2008 R2. For that I have set up 4 less privileged
  a/c in domain for Db engine, Sql agent, Reporting services and Analysis
  service. During the installation I plan to specify these a/c's in the
  domain to run the above 4 services under these a/c. I understand the sql server agent
  a/c should have 6 rights in the local computer security policy
  ie a)Adjust memory quotas for process,b)Act as a part of os,c)Bypass
  traverse chechking,d)Log on as a batch job and e)Log on as a service.
  Will these rights get automatically assigned during installation
  or should it be manually assigned in each node under its local security
  policy. Also what are rights for the other 3 service a/c and do these
  rights get assigned automatically during installation.

  I have to install  Sqlserver 2008 in a 2 node clustered environment in
  Windows Server 2008 R2. For that I have set up 4 less privileged
  a/c in domain for Db engine, Sql agent, Reporting services and Analysis
  service. During the installation I plan to specify these a/c's in the
  domain to run the above 4 services under these a/c. I understand the sql server agent
  a/c should have 6 rights in the local computer security policy
  ie a)Adjust memory quotas for process,b)Act as a part of os,c)Bypass
  traverse chechking,d)Log on as a batch job and e)Log on as a service.
  Will these rights get automatically assigned during installation
  or should it be manually assigned in each node under its local security
  policy. Also what are rights for the other 3 service a/c and do these
  rights get assigned automatically during installation.
  You should get Domain account created before starting cluster installation and specifically give these rights to the account.
  Regarding rights below link might be helpful
  http://blogs.msdn.com/b/askjay/archive/2011/02/28/required-rights-for-sql-server-service-account.aspx
  When installing cluster make sure you use Domain account which is added as local administrator on both nodes.
  It should have righst to create Computer name object(CNO) in domain where cluster is being created
  Windows CNO must have complete rights on SQL server CNO.You should also take help from AD team in providing these rights and understanding if any.
  Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers

• After upgrade SP-Crawl Error: The SharePoint item being crawled returned an error when attempting to download the item.

  Hi All - After the upgrade, I am getting SP-Crawl Error for certain links. I check the Crawl component has proper permission.
  Google is showing some article like
  http://blog.karstein-consulting.com/2012/04/20/error-in-crawl-log-the-sharepoint-item-being-crawled-returned-an-error-when-attempting-to-download-the-item/
  not sure if this resolution is referring to 2010 and/or 2013. 
  I checked the registery editor. I couldn't find 14.0 under the Office Server.
  Any clue?
  Regards,
  Khushi
  Khushi

  I checked the web application policy the search crawl account has full read permission.
  Crawl
  Fiddler
  Log Error referring the Correlation ID
  01/06/2014 13:05:06.14  w3wp.exe (0x1698)                        0x0118 SharePoint Foundation        
   Monitoring                     nasq Medium   Entering monitored scope (Request (GET:/sites/HR/Shared%20Documents/Benefits/Insurance%20Benefits/Life%20Insurance/Basic%20Life%20and%20ADD)).
  Parent No 
  01/06/2014 13:05:06.14  w3wp.exe (0x1698)                        0x0118 SharePoint Foundation        
   Logging Correlation Data       xmnv Medium   Name=Request (GET:<SiteURL>/sites/HR/Shared%20Documents/Benefits/Insurance%20Benefits/Life%20Insurance/Basic%20Life%20and%20ADD) e8b1679c-0476-70d4-9fcd-2cef5be44461
  01/06/2014 13:05:06.14  w3wp.exe (0x1698)                        0x0118 SharePoint Foundation        
   Authentication Authorization   agb9s Medium   Non-OAuth request. IsAuthenticated=True, UserIdentityName=, ClaimsCount=0 e8b1679c-0476-70d4-9fcd-2cef5be44461
  01/06/2014 13:05:06.15  w3wp.exe (0x1698)                        0x1738 SharePoint Foundation        
   General                        af71 Medium   HTTP Request method: GET e8b1679c-0476-70d4-9fcd-2cef5be44461
  01/06/2014 13:05:06.15  w3wp.exe (0x1698)                        0x1738 SharePoint Foundation        
   General                        af75 Medium   Overridden HTTP request method: GET e8b1679c-0476-70d4-9fcd-2cef5be44461
  01/06/2014 13:05:06.15  w3wp.exe (0x1698)                        0x1738 SharePoint Foundation        
   General                        af74 Medium   HTTP request URL: /sites/HR/Shared%20Documents/Benefits/Insurance%20Benefits/Life%20Insurance/Basic%20Life%20and%20ADD e8b1679c-0476-70d4-9fcd-2cef5be44461
  01/06/2014 13:05:06.17  w3wp.exe (0x1698)                        0x1738 SharePoint Foundation        
   Files                          aise3 Medium   Failure when fetching document. 0x80070090 e8b1679c-0476-70d4-9fcd-2cef5be44461
  01/06/2014 13:05:06.17  w3wp.exe (0x1698)                        0x1960 SharePoint Foundation        
   Monitoring                     b4ly Medium   Leaving Monitored Scope (Request (GET:<SiteURL>/sites/HR/Shared%20Documents/Benefits/Insurance%20Benefits/Life%20Insurance/Basic%20Life%20and%20ADD)).
  Execution Time=20.5461867360237 e8b1679c-0476-70d4-9fcd-2cef5be44461
  01/06/2014 13:05:06.17  w3wp.exe (0x1698)                        0x1960 SharePoint Foundation        
   Monitoring                     b4ly Medium   Leaving Monitored Scope (Request (GET:<SiteURL>/sites/HR/Shared%20Documents/Benefits/Insurance%20Benefits/Life%20Insurance/Basic%20Life%20and%20ADD)).
  Execution Time=29.917489513332 e8b1679c-0476-70d4-9fcd-2549ba3ee9d4
  01/06/2014 13:05:06.17  w3wp.exe (0x1698)                        0x1960 SharePoint Foundation        
   Monitoring                     nasq Medium   Entering monitored scope (Request (GET:<SiteURL>nsurance%20Benefits%2fLife%20Insurance%2fBasic%20Life%20and%20ADD&FolderCTID=0x01200039DA632EEACF264685CF39D68A18F7C8)).
  Parent No 
  Any clue?
  Regards,
  Khushi
  Khushi

• How to find out what service account is assigned to sharepoint services?

  In Sharepoint 2007, I would like to find out a particular service account whether it is used or not in any of the sharepoint services. I went through stsadm operations command but not unable find one - the only command is to list sharepoint services but
  the list does not include service account. Any help?

  There isn't specifically a single place to determine whether a service account is used. You can check the following places:
  1. Services console (services.msc) on the server. Sort by Log On As and check if the account is used by any services.
  2. In IIS Manager (inetmgr) expand the server, expand Application Pools. For each application pool right click and select properties. On the Identity tab note the service account.
  3. In Central Administration go to Operations -> Service Accounts. One at a time, go through the Windows service (these should map to the same account you saw in the services console) and Web application pool (these should map to what you saw in IIS Manager)
  4. For search service accounts, in Central Administration go to Operations -> Services on Server. On each server running the search service click on the Office SharePoint Server Search link (MOSS only) to show the Office search service account, and Windows
  SharePoint Services Search (WSS and MOSS) link to show the WSS search service account and default content access account (crawl account). You can also view these accounts using stsadm -o osearch -action list and stsadm -o spsearch -action list
  Jason Warren
  @jaspnwarren
  jasonwarren.ca
  habaneroconsulting.com/Insights

• Service Accounts - Your Ideas

  I have been tasked to install SQL 2012 on a new machine(2012 R2) which we will move all current 2008 R2 databases over too (approx. 26).
  This machine will also hold a new instance of SharePoint (not sure if this makes any difference).
  I have gone through the setup.exe process, up to Service Accounts tab to see what accounts are needed: (They are:)
  1. SQL Server Agent
  2. SQL Server Database Engine
  3. SQL Server Reporting Services
  4. SQL Server Integration Services 11.0
  5. SQL Server Browser
  I have read that you should at least create two basic AD accounts (like domain\sqluser1, domain\sqluser2) with sqluser1 being a Local Admin
  on the box? Setting #2 as sqluser1 (refer to above list) and the rest as being sqluser2
  I have also read I should have at least two as above but - use sqluser1 to log into the machine and do the install, then after the install to disable, but not delete the AD account?
  I have also read that you need one AD account per Service Accounts?
  Here are my thoughts and please Advise is this will not work or if there is a security issue:
  (I understand that every install is different, but any info will help - Thanks)
  I will create two regular BASIC AD accounts domain\SQLAdmin and domain\SQLWorker
  I will set domain\SQLAdmin up as a Local Admin to the machine
  I will set up the following:
  1. SQL Server Agent    domain\SQLAdmin
  2. SQL Server Database Engine   domain\SQLAdmin
  3. SQL Server Reporting Services  NETWORKSERVICE
  4. SQL Server Integration Services 11.0  domain\SQLWorker
  5. SQL Server Browser    domain\SQLWorker
  Thanks for any advice,
  (An Accidental DBA)

  Hi,
  Its not advised and not considered as good security practice to run SQL Server service with account having admin privileges on machine. In your case account  domain\SQLAdmin, you are adding this as local admin which is not a good practice as per security.
  I strongly suggest you to spend some time on below Microsoft Link
  http://msdn.microsoft.com/en-gb/library/ms143504.aspx
  You are correct with creating separate account just rights should be minimum and above link will guide you
  Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it.
  My TechNet Wiki Articles

• Question : Service Accounts for SQL Server 2012

  Hello,
  I am planning to create AD accounts for SQL Server 2012 services that will be installed on Windows 2012 server.
  I was reading the following
  Configure Windows Service Accounts and Permissions
  and
  Windows Privileges and Rights
  Is there a recommendation / document that would list that assocation of SQL Server Services with Actvie Directory service accounts / privileges required for installation and starting the services.
  Isn't it recommended to create separate account for every service and they should not be local accounts ?
  Hope to hear soon as to what industry standards are being followed for production systems ?
  Thank you very much in advance.
  Regards
  Nikunj

  From MSDN:
  Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Windows. Each service can be configured to use its own service account. This facility is exposed
  at installation. SQL Server provides a special tool, SQL Server Configuration Manager, to manage the services configuration.
  When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should
  not only be different from one another, they should not be used by any other service on the same server. Do not grant additional permissions to the SQL Server service account or the service groups.
  From Glen Berry's Blog:
  You should request that a dedicated domain user account be created for use by the SQL Server service. This should just be a regular, domain account with no special rights on the domain. You do not need or want this account to be a local admin on the machine
  where SQL Server will be installed. The SQL Server setup program will grant the necessary rights on the machine to that account during installation.
  You will also want a separate, dedicated domain user account for the SQL Server Agent service. If you are going to be installing and using other SQL Server related services such as SQL Server Integration Services (SSIS), SQL Server Reporting Services (SSRS),
  or SQL Server Analysis Services (SSAS), you will want dedicated domain accounts for each service. The reason you want separate accounts for each service is because they require different rights on the local machine, and having separate accounts is both more
  secure and more resilient, since a problem with one account won’t affect all of the SQL Server Services.
  Depending on your organization, getting these domain accounts created could take anywhere from minutes to weeks to complete, so make sure to allow time for this. For each one of these accounts, you will need their logon credentials for the SQL Server setup
  program. You are going to want to make sure that the accounts don’t have a temporary password that must be changed during the next login. If they are set up that way, make sure to change them to use a strong password, and record this information in a secure
  location.
  Please Mark This As Answer if it solved your issue
  Please Mark This As Helpful if it helps to solve your issue
  Thanks,
  Shashikant

• Best way to set up service account (to run weblogic)

  I have to create a user that will own the WebLogic Java process. I would assume I should disallow this user from being able to log in. What is the best way to do that? I saw one reference that suggested setting the user's shell to "/bin/false". Is that a reasonable way to do that? What are other good practices for creating these "service accounts"?

  Ah, sorry.
  The users passwords are stored in a file called /etc/shadow, the syntax of this file is
  user:encrypted password:days since last password change:::::
  the last five colons are for password expire information.
  For a user to have no password, add then to /etc/shadow with NP as a password, i.e:'postgres:NP:::::::
  postgres:NP:::::::
  .7/M.

• Is Azure Media Services Account only made for videos?

  After creating my Media Service account I only see links, tutorials and documentation about how to use it with video. I'm working on a project with music files. Is it possible and recommended to use Media Service for music?

  What is your workflow? 
  1. Where are the music files being sourced from? What format(s) are they in?
  2. How do you want to deliver them to playback devices/apps?
  You can encode sources to audio-only MP4 files, and deliver them via progressive download.
  From the above MP4 output assets, you can also get (single bitrate) MPEG DASH streams for streaming to clients that support this protocol.

• Microsoft Business Contact Manager 2013, addiiton MSSQL NT Service accounts and Sysprep deployment on WIndows 7

  Hi all,
  I'm running into a problem when trying to sysprep and deploy a Windows 7 image with Business Contact Manager pre-install during the audit mode. Before anyone shouts, I have posted the main question in the Windows 7 deployment forum, but I would like some
  additional help as to what the "NT Service" Accounts are for with regards to the BCM insatalltion
  During the installation of BCM, we get an installation of MSSQL, and during this installation MSSQL creates three user accounts used by the "NT Service" account:
  MSSQL$MSSMLBIZ
  MSSQLFLDLauncher$MSSMLBIZ
  ReportServer$MSSMLBIZ
  When you run 'sysprep' with generalise option, and use the CopyProfile in the Specialise pass, sysprep copies the profile information from the last 'changed' profile. Whilst this should be the Administrator profile (as far as I can see), what is happening
  is that the profile from 'ReportServer$MSSMLBIZ' is being used.
  The rule of thumb when using the CopyProfile option is to ensure that only ONE account is present - i.e. the current administrator profile. The easy option is therefore just to delete the MSSQL accounts.
  In the current state of play, even after I deploy the generalized image (with the copied 'ReportServer$MSSMLBIZ' account), I end up with only three users when looking at
  "Manage --> Local User and Groups" (the Administrator, Guest (disabled) and HomeGroupUser$ user), so all the above "NT Service\MSSQL" accounts disappear during the sysprep process in any case.
  I'm not sure what the effect will be on BCM for the end user. Does anyone have any suggestions as to what might be the best course of action.
  Cheers
  Chris
  Chris

  I don't suppose anyone has got any cluse about these users, what they do and how best to then deploy BCM as part of an image?
  Chris

• The SharePoint item being crawled returned an error when attempting to download the item.

  I get this error when I run full crawl.
  The SharePoint item being crawled returned an error when attempting to download the item.
  I did make sure that the crawl account has full read access to the web application. I am able to access the page and site just fine from a browser. I am not sure what is causing the problem.

  On closely looking at ULS logs, this is what I am noticing....
  CSTS3Accessor::Init: SharePointError found in URL
  http://xxxxx/default.aspx header value 0, hr=8004FD0F  [sts3acc.cxx:566]  d:\office\source\search\native\gather\protocols\sts3\sts3acc.cxx 
  CSTS3Accessor::Init fails, Url sts4://xxxx/siteurl=/siteid={c011d5c9-9019-41e8-bf5a-5176739b2b79}/weburl=xxxxx/webid={e42001c0-2ef1-4a8e-8fe5-361d72fa60c2}, hr=8004FD0F  [sts3handler.cxx:312]  d:\office\source\search\native\gather\protocols\sts3\sts3handler.cxx 
  CSTS3Handler::CreateAccessorExD: Return error to caller, hr=8004FD0F            [sts3handler.cxx:330]  d:\office\source\search\native\gather\protocols\sts3\sts3handler.cxx