Service account permission

Hello,
We need to create a service account which should have the below permission for the tasks.,
Get-ExchangeServer
Get-Recipient
Set-ActivesyncMailboxPolicy
New-ActivesyncMailboxPolicy
Remove-ActivesyncMailboxPolicy
Clear-Activesync Device
Remove-ActivesyncDevice
Get-CASMailbox
Set-CASMailbox
Set-ActivesyncMailboxPolicy
Get-ActivesyncDeviceStatistics
What permissions are required to be assigned via RBAC
Regards, Ajit

We followed the below mentioned cmdlet
A)
Management Role Name EAS
New-ManagementRole -Name “EAS” -Parent “Organization Client Access”
Add-ManagementRoleEntry “EAS\Get-ActiveSyncDeviceAccessRule”
Add-ManagementRoleEntry “EAS\Get-ActiveSyncDeviceClass”
Add-ManagementRoleEntry “EAS\Get-ActiveSyncOrganizationSettings”
Add-ManagementRoleEntry “EAS\Get-AuthRedirect”
Add-ManagementRoleEntry “EAS\Get-CASMailbox”
Add-ManagementRoleEntry “EAS\Get-ClientAccessArray”
Add-ManagementRoleEntry “EAS\Get-OutlookProvider”
Add-ManagementRoleEntry “EAS\Get-RpcClientAccess”
Add-ManagementRoleEntry “EAS\Remove-ActiveSyncDeviceAccessRule”
Add-ManagementRoleEntry “EAS\Set-ActiveSyncDeviceAccessRule”
Add-ManagementRoleEntry “EAS\Set-CASMailbox”
Add-ManagementRoleEntry “EAS\Write-AdminAuditLog”
Add-ManagementRoleEntry “EAS\Get-Exchange Server”
Add-ManagementRoleEntry “EAS”\Get-Recipient”
Now we need to create a new Role group. So that we can add required sa_***** to this role group.
 B)
New-RoleGroup “ActiveSync Enable Wipe” -Roles “EAS”
New-ManagementRole -Name “MailboxManagement” -Parent “Mail Recipients”
The below cmdlet will only keep Set-CasMailbox  for mailboxmanagement role.
Get-ManagementRoleEntry “MailboxManagement\*” | where {$_.name -ne “Set-CASMailbox”} | Remove-ManagementRoleEntry
Only the required roles will be added for mailbox management
Add-ManagementRoleEntry “MailboxManagement\Get-User”
Add-ManagementRoleEntry “MailboxManagement\Get-Mailbox”
Add-ManagementRoleEntry “MailboxManagement\Get-CASMailbox”
Add-ManagementRoleEntry “MailboxManagement\Get-Recipient”
Add-ManagementRoleEntry “MailboxManagement\Set-Mailbox”
Add-ManagementRoleEntry “MailboxManagement\Get-ActiveSyncDeviceStatistics”
Add-ManagementRoleEntry “MailboxManagement\Clear-ActiveSyncDevice”
Add-ManagementRoleEntry “MailboxManagement\Remove-ActiveSyncDevice”
Add-ManagementRoleEntry “MailboxManagement\Remove-ActiveSyncDeviceMailboxPolicy”
Add-ManagementRoleEntry “MailboxManagement\New-ActiveSyncDeviceMailboxPolicy”
Add-ManagementRoleEntry “MailboxManagement\Set-ActiveSyncDeviceMailboxPolicy”
Then we will  add the new management role MailboxManagement to “ActiveSync Enable Wipe” Role Group.
New-ManagementRoleAssignment –Role “MailboxManagement” –SecurityGroup “ActiveSync Enable Wipe”
However for the last 3 cmdlets above error message is observed. as the cmdlets will only work with server role permissions.
How should we proceed further
Should we execute the cmdlet
New-ManagementRole -Name “MailboxManagement” -Parent “Server Role” and then proceed below in STep B
Regards, Ajit

Similar Messages

  • Service accounts for the Workspace Database service permission Error while creating Tabular Mode from PowerPivot

    Hi All,
    Please help me out against this issue. I have spent so much (3 working days) time just figuring out what is the issue and its solution.
    I am learning Tabular Mode and trying to create a mode based on PowerPivot model. I am getting following error message:
    'The PowerPivot workbook could not be imported. The service account for the workspace database server does not have permission to read from the PowerPivot workbook.'
    Here is my infrastructure:
    1. SSAS in Tabular Mode is installed on my Windows 8 Laptop
    2. PowerPivot is also in my laptop
    3. There is only my account (as Admin of course) for SSAS
    Here are my questions:
    1. What is this error and how can I cope with that? A step by step explanation would be highly appreciated :-)
    2. Do I need to change something in Windows settings or in SSAS?
    3. I am confused about my workspace database server as well, Do I have to install SSAS twice; one for development and one for workspace?
     Looking forward for the expert advise.
    Tahir
    Thanks, TA

    Hi,
    I suspect you might have more luck if you try the SSAS forum: http://social.msdn.microsoft.com/Forums/sqlserver/en-US/home?forum=sqlanalysisservices
    Regards
    Jamie
    ObjectStorageHelper<T> – A WinRT utility for Windows 8 |
    http://sqlblog.com/blogs/jamie_thomson/ |
    @jamiet |
    About me

  • SCVMM 2008 R2 - "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS)."

    I know this question has been asked before, but never for R2, that I can tell, and the posted fixes aren't working. I have just installed SCVMM 2008 R2 on a Windows Server 2008 R2 server, using a remote SQL 2008 SP1 database. When I attempt to connect to SCVMM, I get the following error:
    "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
    Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see "Some applications and APIs require access to authorization information on account objects" in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
    ID: 2607"
    What I've seen online is that this is usually becuase the domain account SCVMM is running as does not have the proper permissions on the SQL database. Here's what I've confirmed:
    1) My SCVMM service account is a local admin on the SCVMM server
    2) My SCVMM service account is a dbowner on the SCVMM database in SQL
    3) My SQL service account is a dbowner on the SCVMM database in SQL
    4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still "doesn't have access to AD DS," which is obviously untrue)
    5) Neither service account is locked out
    Has anyone run in to this? It says in Technet that remote SQL 2008 is supported, as long as the SQL management studio is installed to the SCVMM server, and I installed and patched before I began the SCVMM installation. I just don't know what else to try - I have no errors in event logs, no issues during the installation itself...
    Andrew Topp

    That answer was very unhelpful fr33m4n. The individual mentions that they've received the error that points to the KB article. I currently receive the same error -- there seems to be no resolution. I've run the Microsoft VBS script to add TAUG to the WAAG
    as suggested by 331951, and that made absolutely no difference.
    1) My SCVMM service account is a local admin on the SCVMM server
    2) My SCVMM service account is a dbowner on the SCVMM database in SQL
    3) My SQL service account is a dbowner on the SCVMM database in SQL
    4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still
    "doesn't have access to AD DS," which is obviously untrue)
    The user is also a member of WAAG, the machines have delegated authority to each other. Is there any other solution?

  • What permission does the Service account requires on AD for the Workflow manager 1.0 to be configured in SharePoint Farm?

    What permission does the Service account requires on AD for the Workflow manager 1.0 to be configured in SharePoint Farm?
    The workflow manager configuration wizard crashes with the below error when used a domain account (setup account with full prvilige on sql and server). It requires some specific permissions on AD ? I couldnt see any documentation stating what permission
    it requires.
    Can anyone help ?
    Problem signature:
      Problem Event Name:                        CLR20r3
      Problem Signature 01:                       AUTRTV22OQMI5JWSVNDSSNCH0E5DQ2L1
      Problem Signature 02:                       1.0.20922.0
      Problem Signature 03:                       505e1b30
      Problem Signature 04:                       System.DirectoryServices.AccountManagement
      Problem Signature 05:                       4.0.30319.17929
      Problem Signature 06:                       4ffa5bda
      Problem Signature 07:                       3ef
      Problem Signature 08:                       348
      Problem Signature 09:                       KCKGYE1NBUPA2CLDHCXJ0IFBDVSEPD1F
      OS Version:                                          6.2.9200.2.0.0.272.7
      Locale ID:                                             1044
      Additional Information 1:                  8e7b
      Additional Information 2:                  8e7b3fcdf081688bfcdf47496694f0e4
      Additional Information 3:                  c007
      Additional Information 4:                  c007e99b2d5f6f723ff4e7b990b5c691
    Log Name:      Application
    Source:        Application Error
    Date:          27.08.2014 11:47:54
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      OSS01-MAP-226.global.corp
    Description:
    Faulting application name: Microsoft.Workflow.Deployment.ConfigWizard.exe, version: 1.0.20922.0, time stamp: 0x505e1b30
    Faulting module name: KERNELBASE.dll, version: 6.2.9200.16864, time stamp: 0x531d34d8
    Exception code: 0xe0434352
    Fault offset: 0x0000000000047b8c
    Faulting process id: 0x23a0
    Faulting application start time: 0x01cfc1dbe703a8ac
    Faulting application path: C:\Program Files\Workflow Manager\1.0\Microsoft.Workflow.Deployment.ConfigWizard.exe
    Faulting module path: C:\Windows\system32\KERNELBASE.dll
    Report Id: 36f30eb4-2dcf-11e4-9415-005056892fae
    Faulting package full name:
    Faulting package-relative application ID:
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-08-27T09:47:54.000000000Z" />
        <EventRecordID>7471545</EventRecordID>
        <Channel>Application</Channel>
        <Computer>OSS01-MAP-226.global.corp</Computer>
        <Security />
      </System>
      <EventData>
        <Data>Microsoft.Workflow.Deployment.ConfigWizard.exe</Data>
        <Data>1.0.20922.0</Data>
        <Data>505e1b30</Data>
        <Data>KERNELBASE.dll</Data>
        <Data>6.2.9200.16864</Data>
        <Data>531d34d8</Data>
        <Data>e0434352</Data>
        <Data>0000000000047b8c</Data>
        <Data>23a0</Data>
        <Data>01cfc1dbe703a8ac</Data>
        <Data>C:\Program Files\Workflow Manager\1.0\Microsoft.Workflow.Deployment.ConfigWizard.exe</Data>
        <Data>C:\Windows\system32\KERNELBASE.dll</Data>
        <Data>36f30eb4-2dcf-11e4-9415-005056892fae</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>
    Log Name:      Application
    Source:        .NET Runtime
    Date:          27.08.2014 11:47:54
    Event ID:      1026
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      OSS01-MAP-226.global.corp
    Description:
    Application: Microsoft.Workflow.Deployment.ConfigWizard.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.DirectoryServices.AccountManagement.MultipleMatchesException
    Stack:
       at System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRefHelper(System.Type, System.String, System.String, System.DateTime, Boolean)
       at System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRef(System.Type, System.String, System.String, System.DateTime)
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(System.DirectoryServices.AccountManagement.PrincipalContext, System.Type, System.Nullable`1<System.DirectoryServices.AccountManagement.IdentityType>, System.String,
    System.DateTime)
       at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(System.DirectoryServices.AccountManagement.PrincipalContext, System.String)
       at Microsoft.ServiceBus.Commands.Common.SecurityHelper.IsUserValid(System.DirectoryServices.AccountManagement.PrincipalContext, System.String)
       at Microsoft.ServiceBus.Commands.Common.SecurityHelper.IsDomainUserValid(System.String, System.String)
       at Microsoft.ServiceBus.Commands.Common.ValidateUserAttribute.Validate(System.String)
       at Microsoft.Deployment.ConfigWizard.UICommon.AccountDetailsViewModel.ValidateDomainUser()
       at Microsoft.Deployment.ConfigWizard.UICommon.AccountDetailsControl.UserIdTextBox_LostFocus(System.Object, System.Windows.RoutedEventArgs)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.Controls.Primitives.TextBoxBase.OnLostFocus(System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.IsFocused_Changed(System.Windows.DependencyObject, System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.FrameworkElement.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.Controls.TextBox.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.NotifyPropertyChange(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.UpdateEffectiveValue(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata, System.Windows.EffectiveValueEntry, System.Windows.EffectiveValueEntry ByRef, Boolean, Boolean,
    System.Windows.OperationType)
       at System.Windows.DependencyObject.ClearValueCommon(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata)
       at System.Windows.DependencyObject.ClearValue(System.Windows.DependencyPropertyKey)
       at System.Windows.Input.FocusManager.OnFocusedElementChanged(System.Windows.DependencyObject, System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.FrameworkElement.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.NotifyPropertyChange(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.UpdateEffectiveValue(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata, System.Windows.EffectiveValueEntry, System.Windows.EffectiveValueEntry ByRef, Boolean, Boolean,
    System.Windows.OperationType)
       at System.Windows.DependencyObject.SetValueCommon(System.Windows.DependencyProperty, System.Object, System.Windows.PropertyMetadata, Boolean, Boolean, System.Windows.OperationType, Boolean)
       at System.Windows.DependencyObject.SetValue(System.Windows.DependencyProperty, System.Object)
       at System.Windows.FrameworkElement.OnGotKeyboardFocus(System.Object, System.Windows.Input.KeyboardFocusChangedEventArgs)
       at System.Windows.RoutedEventArgs.InvokeHandler(System.Delegate, System.Object)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.RaiseTrustedEvent(System.Windows.RoutedEventArgs)
       at System.Windows.Input.InputManager.ProcessStagingArea()
       at System.Windows.Input.KeyboardDevice.ChangeFocus(System.Windows.DependencyObject, Int32)
       at System.Windows.Input.KeyboardDevice.Focus(System.Windows.DependencyObject, Boolean, Boolean, Boolean)
       at System.Windows.Input.KeyboardDevice.Focus(System.Windows.IInputElement)
       at System.Windows.UIElement.Focus()
       at System.Windows.Documents.TextEditorMouse.MoveFocusToUiScope(System.Windows.Documents.TextEditor)
       at System.Windows.Documents.TextEditorMouse.OnMouseDown(System.Object, System.Windows.Input.MouseButtonEventArgs)
       at System.Windows.UIElement.OnMouseDownThunk(System.Object, System.Windows.Input.MouseButtonEventArgs)
       at System.Windows.RoutedEventArgs.InvokeHandler(System.Delegate, System.Object)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.RaiseTrustedEvent(System.Windows.RoutedEventArgs)
       at System.Windows.Input.InputManager.ProcessStagingArea()
       at System.Windows.Input.InputProviderSite.ReportInput(System.Windows.Input.InputReport)
       at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr, System.Windows.Input.InputMode, Int32, System.Windows.Input.RawMouseActions, Int32, Int32, Int32)
       at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr, MS.Internal.Interop.WindowMessage, IntPtr, IntPtr, Boolean ByRef)
       at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
       at MS.Win32.HwndWrapper.WndProc(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
       at MS.Win32.HwndSubclass.DispatcherCallbackOperation(System.Object)
       at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
       at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
       at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(System.Windows.Threading.DispatcherPriority, System.TimeSpan, System.Delegate, System.Object, Int32)
       at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr, Int32, IntPtr, IntPtr)
       at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
       at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
       at System.Windows.Threading.Dispatcher.PushFrameImpl(System.Windows.Threading.DispatcherFrame)
       at System.Windows.Application.RunInternal(System.Windows.Window)
       at System.Windows.Application.Run()
       at Microsoft.Workflow.Deployment.ConfigWizard.App.Main()
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name=".NET Runtime" />
        <EventID Qualifiers="0">1026</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-08-27T09:47:54.000000000Z" />
        <EventRecordID>7471544</EventRecordID>
        <Channel>Application</Channel>
        <Computer>OSS01-MAP-226.global.corp</Computer>
        <Security />
      </System>
      <EventData>
        <Data>Application: Microsoft.Workflow.Deployment.ConfigWizard.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.DirectoryServices.AccountManagement.MultipleMatchesException
    Stack:
       at System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRefHelper(System.Type, System.String, System.String, System.DateTime, Boolean)
       at System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRef(System.Type, System.String, System.String, System.DateTime)
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(System.DirectoryServices.AccountManagement.PrincipalContext, System.Type, System.Nullable`1&lt;System.DirectoryServices.AccountManagement.IdentityType&gt;,
    System.String, System.DateTime)
       at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(System.DirectoryServices.AccountManagement.PrincipalContext, System.String)
       at Microsoft.ServiceBus.Commands.Common.SecurityHelper.IsUserValid(System.DirectoryServices.AccountManagement.PrincipalContext, System.String)
       at Microsoft.ServiceBus.Commands.Common.SecurityHelper.IsDomainUserValid(System.String, System.String)
       at Microsoft.ServiceBus.Commands.Common.ValidateUserAttribute.Validate(System.String)
       at Microsoft.Deployment.ConfigWizard.UICommon.AccountDetailsViewModel.ValidateDomainUser()
       at Microsoft.Deployment.ConfigWizard.UICommon.AccountDetailsControl.UserIdTextBox_LostFocus(System.Object, System.Windows.RoutedEventArgs)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.Controls.Primitives.TextBoxBase.OnLostFocus(System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.IsFocused_Changed(System.Windows.DependencyObject, System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.FrameworkElement.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.Controls.TextBox.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.NotifyPropertyChange(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.UpdateEffectiveValue(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata, System.Windows.EffectiveValueEntry, System.Windows.EffectiveValueEntry ByRef, Boolean, Boolean,
    System.Windows.OperationType)
       at System.Windows.DependencyObject.ClearValueCommon(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata)
       at System.Windows.DependencyObject.ClearValue(System.Windows.DependencyPropertyKey)
       at System.Windows.Input.FocusManager.OnFocusedElementChanged(System.Windows.DependencyObject, System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.FrameworkElement.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.NotifyPropertyChange(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.UpdateEffectiveValue(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata, System.Windows.EffectiveValueEntry, System.Windows.EffectiveValueEntry ByRef, Boolean, Boolean,
    System.Windows.OperationType)
       at System.Windows.DependencyObject.SetValueCommon(System.Windows.DependencyProperty, System.Object, System.Windows.PropertyMetadata, Boolean, Boolean, System.Windows.OperationType, Boolean)
       at System.Windows.DependencyObject.SetValue(System.Windows.DependencyProperty, System.Object)
       at System.Windows.FrameworkElement.OnGotKeyboardFocus(System.Object, System.Windows.Input.KeyboardFocusChangedEventArgs)
       at System.Windows.RoutedEventArgs.InvokeHandler(System.Delegate, System.Object)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.RaiseTrustedEvent(System.Windows.RoutedEventArgs)
       at System.Windows.Input.InputManager.ProcessStagingArea()
       at System.Windows.Input.KeyboardDevice.ChangeFocus(System.Windows.DependencyObject, Int32)
       at System.Windows.Input.KeyboardDevice.Focus(System.Windows.DependencyObject, Boolean, Boolean, Boolean)
       at System.Windows.Input.KeyboardDevice.Focus(System.Windows.IInputElement)
       at System.Windows.UIElement.Focus()
       at System.Windows.Documents.TextEditorMouse.MoveFocusToUiScope(System.Windows.Documents.TextEditor)
       at System.Windows.Documents.TextEditorMouse.OnMouseDown(System.Object, System.Windows.Input.MouseButtonEventArgs)
       at System.Windows.UIElement.OnMouseDownThunk(System.Object, System.Windows.Input.MouseButtonEventArgs)
       at System.Windows.RoutedEventArgs.InvokeHandler(System.Delegate, System.Object)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.RaiseTrustedEvent(System.Windows.RoutedEventArgs)
       at System.Windows.Input.InputManager.ProcessStagingArea()
       at System.Windows.Input.InputProviderSite.ReportInput(System.Windows.Input.InputReport)
       at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr, System.Windows.Input.InputMode, Int32, System.Windows.Input.RawMouseActions, Int32, Int32, Int32)
       at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr, MS.Internal.Interop.WindowMessage, IntPtr, IntPtr, Boolean ByRef)
       at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
       at MS.Win32.HwndWrapper.WndProc(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
       at MS.Win32.HwndSubclass.DispatcherCallbackOperation(System.Object)
       at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
       at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
       at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(System.Windows.Threading.DispatcherPriority, System.TimeSpan, System.Delegate, System.Object, Int32)
       at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr, Int32, IntPtr, IntPtr)
       at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
       at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
       at System.Windows.Threading.Dispatcher.PushFrameImpl(System.Windows.Threading.DispatcherFrame)
       at System.Windows.Application.RunInternal(System.Windows.Window)
       at System.Windows.Application.Run()
       at Microsoft.Workflow.Deployment.ConfigWizard.App.Main()
    </Data>
      </EventData>
    </Event>

    Hi Karthik,
    You could refer to the series of videos below to install and configure workflow manager in SharePoint 2013:
    http://technet.microsoft.com/en-us/library/dn201724(v=office.15).aspx
    The Episode 2 describes the necessary account in AD with right permission in the installation process:
    http://technet.microsoft.com/en-us/library/dn201724(v=office.15).aspx#episode2
    Regards,
    Rebecca Tu
    TechNet Community Support

  • What is the effect of the service account permissions

    Hi,
    What is the effect of the service account permissions? For example, suppose the service account for SQL Server database engine is SomeDomain\A, and has no permission to execute stored procedure X, and a user with domain account SomeDomain\B does have the
    said permission. Which one will prevail, i.e. can the user execute stored procedure X? If so, what permissions must I give the service account SomeDomain\A?
    I am asking this in the context of planning deployment in the production environment of a data warehouse application.
    Cheers,
    Jerome
    Jerome Smith BI Consultant, MCP

    Hi Jerome,
    Service account for SQL Server Database Engine only have limited permissions. To grant the account permission to execute stored procedure X, please refer to the following
    query:
    USE database;
    GRANT EXECUTE ON OBJECT::dbo.X
    TO SomeDomain\A;
    GO
    Since the user is in the context of planning deployment in the production environment of a data warehouse application, we may need to add some additional permissions. For more details, please refer to the following blog:
    http://blogs.msdn.com/b/data_otaku/archive/2011/06/28/securing-the-data-warehouse.aspx
    Thanks,
    Katherine Xiong
    Katherine Xiong
    TechNet Community Support

  • Changed SP application pool service account - 500 internal server error

    Hi all, 
    Trying to resolve some farm installation issues in our test environment. Long story short is that on install a previous user used our SP_Farm account to install everything and pretty much use this account to run all web applications/services.
    So I am in the process of trying to resolve one portion of it by allocating a new managed account for the web application pools. I have created a new account called SP_Pool on the DC. This is just a domain user with no specific rights applied (classic authentication).
    I changed the account using CA "configure service accounts" for both our mysite and SharePoint site web apps. 
    SP applied the new SP_Pool to the appropriate workstation groups and DB rights. Tried to hit the site and got the rather generic HTTP 500 Internal Server error. Put SP_Pool into the local admin rights group to test and was able to hit the site so something
    is definitely pointing to a rights/permission issue. I was under the impression the app pool accounts did not require any local SP server rights? I have seen mention of "Impersonate a client after authentication" but that's only for Claims based
    auth
    I've gone through every scenario which are mentioned below:
    Tried to connect from a client machine and server. 500 error
    All App pools are started and SP_Pool is running both web apps
    IIS bindings are same as before
    no changes to the web.config
    No errors in the Application event viewer
    Checked iis logs and has 500 errors throughout it. The 4th number in the sequence usually changes (i.e. 500 0 0 499, 500 0 0 468 etc)
    Turned on Failed Request Tracing and no issue has come up
    Tried to clear the configuration cache - same deal
    Ran process mon - seen nothing out of the ordinary
    So based off the above is there anywhere else I could look to try and resolve this issue? Or is there something so damn obvious I've missed here? Running out of ideas
    Appreciate any feedback
    Thanks

    Hello,
    Have you tried to turn your SharePoint server off and on again ( I know , it sounds like a basic helpdesk answer but in the case of changing user account for application pool, it already fixed the issue for me)
    Best regards, Christopher.
    Blog |
    Mail
    Please remember to click "Mark As Answer" if a post solves your problem or
    "Vote As Helpful" if it was useful.
    Why mark as answer?

  • Does changing the SQL Server Service Account impact FILESTREAM data?

    I have a stand-alone SQL Server 2008 instance that I need to change the SQL Server service account from LocalSystem to a domain account.  However, I was wondering if there was any impact on FILESTREAM enabled databases that are hosted on the SQL Server? 
    Specifically, has anyone ever changed the SQL Server service account when using FILESTREAM ...
    Sincerely,
    Sean Fitzgerald

    I have a stand-alone SQL Server 2008 instance that I need to change the SQL Server service account from LocalSystem to a domain account.  However, I was wondering if there was any impact on FILESTREAM enabled databases that are hosted on the SQL Server? 
    Specifically, has anyone ever changed the SQL Server service account when using FILESTREAM ...
    Sincerely,
    Sean Fitzgerald
    BOL says : Only the account under which the SQL Server service account runs is granted NTFS permissions to the FILESTREAM container.So,  if you start SQL Server under different account , that account wil have access to use fliestream data (read / write)
    At the database level ,If a user has permission to the FILESTREAM column in a table, the user can open the associated files..
    Abhay Chaudhary OCP 9i, MCTS/MCITP (SQL Server 2005, 2008, 2005 BI) ms-abhay.blogspot.com/

  • Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts

    Hi Folks,
    I am an experienced .NET apps developer who has been tasked with writing a bunch of technical controls for all the SQL Server instances on a domain.
    So for the last month I have been diving in the deep end learning Powershell, dba and infrastructure tasks. This is still a work in progress, so be kind to me.. ;o)
    So the task I am stuck on is described in the section on 'Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts' http://technet.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
    I have not been able to find cmdlets that gives me this information. I have found some exes which come frustratingly close like NTRights.exe. This lets me specify a computer name which is great, but only seems to let you set or deny permissions, not just
    list them!
    Any help with this would be very much appreciated as I am firmly stuck. As per comments above also bear in mind that up until around 1.5 months ago I had never used powershell / knew very much at all about SQL server admin etc. Feeling much more comfortable
    with them now, but much less so with Active Directory/ windows permission structures etc so please can I ask anyone kind enough to reply to try and keep the acronyms down as much as humanly possible.. ;o)
    Cheers 
    Kieron

    Hi Kieron,
    Take a look at this module, it makes permissions much easier to work with than what's currently available:
    https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83
    Don't retire TechNet! -
    (Don't give up yet - 13,085+ strong and growing)

  • Sql server 2008 service accounts.

    For Sql server agent and Sql Server Database engine a dedicated low privileged
    separate accounts are assigned while installing  Sql  Server 2008 R2.But when
    I am specifying Sql Server feature installation in the setup role and in feature
    selection I am selecting all ,what should be the nature of accounts that I should
    provide for Sql Server Analysis Service and Sql Server Reporting Services?
    If I install Sqlserver 2008R2 in my local machine running under windows-7
    and use a local standard user account to run my DB engine, would I be
    able to access the databases in Sql Server 2008 installed in a remote
    server in the same domain?

    I agree with Erland.
    SQL Service account is used while performing any OS level operation by SQL Server process (sqlservr.exe). On the other hand, the account which is connecting to SQL Server will have it's own permission in Server/Database provided via Logins/Users.
    Balmukund Lakhani | Please mark solved if I've answered your question, vote for it as helpful to help other users find a solution quicker
    This posting is provided "AS IS" with no warranties, and confers no rights.
    My Blog |
    Team Blog | @Twitter
    Author: SQL Server 2012 AlwaysOn -
    Paperback, Kindle

  • Why would you use a managed service account rather than a virtual account in SQL Server 2012?

    In SQL Server 2012, service accounts are created as
    virtual accounts (VAs), as described
    here, as opposed to
    managed service accounts (MSAs).
    The important differences I can see for these, based on the descriptions:
    MSAs are domain accounts, VAs are local accounts
    MSAs use automagic password management handled by AD, VAs have no passwords
    in a Kerberos context, MSAs register SPNs automatically, VAs do not
    Are there any other differences? If Kerberos is not in use, why would a DBA ever prefer an MSA?
    UPDATE:
    Another user has noted a
    possible contradiction in the MS docs concerning VAs:
    The virtual account is auto-managed, and the virtual account can access the network
    in a domain environment.
    versus
    Virtual accounts cannot be authenticated to a remote location. All virtual accounts
    use the permission of machine account. Provision the machine account in the format
    <domain_name>\<computer_name>$.
    What is the "machine account"? How/when/why does it get "provisioned"? What is the difference between "accessing the network in a domain environment" and "authenticating to a remote location [in a domain environment]"?

    Hi,
    “Virtual accounts cannot be authenticated to a remote location. All virtual accounts use the permission of machine account. Provision the machine account in the format <domain_name>\<computer_name>$.”
    “The virtual account is auto-managed, and the virtual account can access the network in a domain environment. If the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2 or Windows 7, a virtual account
    using the instance name as the service name is used, in the format NT SERVICE\<SERVICENAME>”
    Per the above description, they are two concepts and not conflict with each other.
    As you understand, virtual account access network resources by using the credentials of the computer account. Generally, computer account will not be granted permission unless giving the computer account permission on the shared folder manually.
    Thanks.
    Tracy Cai
    TechNet Community Support

  • Make WDS Service account approve pending devices in WINDOWS DEPLOYMENT SERVICES

    Hi Technet and all other people reading this.
    I am at the moment trying to get a Service account(WDSService) to approve pending devices in Windoes Deployment Services on a WDS server.
    I have created a domain called LALALA.dk on a server(DNS is included in the domain), and installed windows deployment services on another server. The Deployment service is setup to prestage devices, and therefore devices needs to be approved before it can
    be deployed.
    My problem is that at the moment, we are using Domain Admin accounts to do the approving and i wish to change that to a service account, made specially for this job which ofc. should have minimum right. Because i have a very hard time understanding
    why i NEED to grant domain admin rights or local admin rights to a person just so that he can approve pending devices. There has to be a way to use a service account to do the job.
    I have done some research and found out that local admin, domain admins and enterprise admins are the only onces that have the permission to approve pending devices, and that a problem for me, when i want a service account to do it for me(Not automatically)
    but a service account that can name and approve devices manually.
    Here is what i have allready tried.
    1. making WDSService run the Windows Deployment Services (service), but this didnt work because it lacks the permissions needed.
    2. I have given the read+write permissions on the remoteinstall folder, even tried with full control.
    3. Delegate control on the OU in active directory, to create computer object, with full write permissions. I also tried with full control. I added both WDSServer$ and the service account(WDSService) on the OU. Still nothing.
    4. I then downloaded subinacl tool, and granted WDSService account permission to start, stop the service, even tried with full control on the Windows Deployment Service(WDSServer as server_name). I get error 1297 something with priviledge missing from the
    service account to perform the actions. So still nothing. Which is really weird when i ran a command i cant remember now, where i could see that the service account had full permission granted to the service, and still was'nt able to start the service.
    5. I then tried to create a script using WDSUTIL, but was not able to grant the service account permissions to perform the action of approving pending devices. And i dont want to use a script everytime i need to approve a device.
    6. Since the local system account is running the Windows Deployment Service , my thought was to join the WDSService account to the built-in NT AUTHORITY/local system or NT AUTHORITY/local service, this seems impossible from what i experienced, unless you
    are super powershell geek i quess you can, so this option didnt get me anywhere as well.
    6. I then created a gpo granting wdsservice account the "log on as a service" policy on the Windows deployment service Server, still nothing works as attended. I still get error 1297.
    7.I tried copying the registry keys (WDSSERVER) from the HKEY_LOCAL_MACHINE hive on the WDS Server, and imported it into my Domain's registry, but could'nt find the service i wanted to grant permissions to in the group policy settings (computer configuration/policies/windows
    settings/security settings/System Services) I then created a registry entry with group policy (computer configuration/policies/windows settings/security settings/registry) to point to (local machine/system/controlset001/services/WDSServer) and granting
    WDSService account full control and deployed the policy to the Deployment server. Nothing happend and i still cant approve pending devices with my service account.
    from my understanding service account where created to maintain small certain tasks or actions with limited permissions, so if comprimised they could only do very little damage, and so that this account can be setup to perform the tasks without any administation
    of the account. So my question is, is it even possible to achieve what i want = granting a service account the permission to perform the action of approving pending devices on a Windows Deployment Server, and if so how ? 
    I am so confused over this and I am really reaching the limits of my understanding of this.
    Help is very much appreciated.
    Henrik Larsen

    Hi ZeR1X,
    The Require Administrator approval is for unknown computers.
    The similar thread:
    WDS - Request administrator approval not working
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b9088be7-7afe-4e2b-b5fb-4554a92c4a2a/wds-request-administrator-approval-not-working
    More information:
    Windows Deployment Service fails to start with error information of 0x5
    http://support.microsoft.com/kb/2009647
    WDS 3.01 Troubleshooting Guide
    http://technet.microsoft.com/en-us/library/cc754828(v=ws.10).aspx
    I’m glad to be of help to you!
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Workflow Service Account not connecting to Content Databases

    I have created a Project Site called "SP Migration" and allocated a number of tasks at say,
    http://domain/sites/spmigration.  I noticed in My Sites that tasks from the root site collection where there but any from my Project site were not.  Then, I've noticed in the Event Viewer the below error
    (this account is the workflow management service account)
    I have checked the Web Application that hosts this site collection and the sps_workflow_service has full control permissions.  I know I can probably go about add permissions directly in SQL but I don't want to have to do that for all Site Collections
    and I'm sure this is not meant to be done this way in any event.  How can I apply this permissions to all SP Content Databases?

    Hi,
    Could you please provide more information about your migration? Since the issue appears to occur only to new or migrated site collections, there might be something there.
    If you are not sure about what permission should apply to service accounts, you could refer to the references below:
    https://technet.microsoft.com/en-us/library/cc263445.aspx
    https://technet.microsoft.com/en-us/library/cc678863.aspx
    Regards,
    Rebecca Tu
    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
    [email protected]

  • Service account rights

    Hi All,
     i just wanted to know the list of rights and permission that should be given to a new SQL server service account.
      - Does the SQL service account need to be local admin? Domain admin? 
    Thanks for the help. 
    Tina

    Hello,
    The following article will provide the list of privileges and permissions required by SQL Server service accounts:
    http://msdn.microsoft.com/en-us/library/ms143504.aspx
    Hope this helps.
    Regards,
    Alberto Morillo
    SQLCoffee.com

  • NT Authority and NT Service Accounts

    I have the following logins on my SQL Server with sysadmin privileges.
    NT AUTHORITY\SYSTEM
    NT SERVICE\{instance name}
    NT SERVICE\SQLAgent{instance name}
    NT SERVICE\SQLWriter (for SQL2012)
    NT SERVICE\Winmgmt (for SQL2012)
    If I use a domain service account on my Sql Server and Sql Server Agent services (Log on as:),
    1. do I need Logins mentioned above as sysadmin?
    2. can / should I remove them as security hardening?
    on SQL Server 2008 and SQL Server 2012
    thanks

    Thanks! So, I should just remove SYSADMIN from those logins, correct?
    Edit: Report findings - NT SERVICE\SQLSERVERAGENT does need SYSADMIN. Else, SQL Server Agent service cannot be started.
    Hi Amy2013,
    According to the discussion in the similar
    blog, it depends on the software and services in use that if there is any downside impact on revoking "sysadmin" privileges on these logins.
    In addition, particularly, for the NT SERVICE\winmgmt login, if you revoke “sysadmin" privileges on it, please ensure that it is configured with the following permissions:
    •Membership in the db_ddladmin or db_owner fixed database roles in the msdb database.
    • CREATE DDL EVENT NOTIFICATION permission in the server.
    • CREATE TRACE EVENT NOTIFICATION permission in the Database Engine.
    • VIEW ANY DATABASE server-level permission.
    Reference:
    Configure Windows Service Accounts and Permissions
    Thanks,
    Lydia Zhang
    Lydia Zhang
    TechNet Community Support

  • Network Service account and Exchange 2013 services

    I installed Exchange 2013 CU8 on two 2012 R2 machines, but the services that run under Network Service for Exchange won't start. If I put Network Service in the local admin group, the services start. Prior to putting it in the admin group, I gave it full
    permission on all Exchange folders, but that didn't help...thanks.

    Hi,
    Please run “setup.com /preparedomain” and see if the permission are set to default and the issue persists.
    Please add Read permission for NT AUTHORITY\Network Service to all Exchange servers in ADSIEdit to have a try:
    Expand CN=Configuration,DC=domain,DC=.com > CN=Services > CN=Microsoft Exchange > CN=Domain > CN= Administrative Groups > CN=(Group name) > CN=Servers. Right-click all Exchange service, and add Read permission for NT AUTHORITY\Network Service
    account.
    Regards,
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Winnie Liang
    TechNet Community Support

Maybe you are looking for