Home

Service Account permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-359942%22%20slang%3D%22en-US%22%3EService%20Account%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359942%22%20slang%3D%22en-US%22%3E%3CP%3EA%20business%20unit%20has%20requested%20a%20new%20SAP%20'Business%20Objects'%20service%20account%20to%20achieve%20'Integration%20of%20BI%204.x%20with%20Active%20Directory%20and%20SSO%20in%20Distributed%20Environments'.%26nbsp%3B%20The%20instructions%20for%20how%20to%20do%20this%20are%20contained%20in%20SAP%20KBA%20262970.%26nbsp%3B%20Within%20this%20guidance%20is%20the%20instruction%20to%20assign%20the%20service%20account%20the%20permission%20to%20'act%20as%20part%20of%20the%20operating%20system'.%26nbsp%3B%20According%20to%20the%20guidance%20this%20is%20a%20more%20specific%20setting%20than%20making%20the%20service%20account%20a%20member%20of%20the%20Administrators%20group%20(as%20recommended%20in%20an%20older%20blog).%26nbsp%3B%20Is%20this%20correct%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReading%20available%20online%20Microsoft%20documentation%20'%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fact-as-part-of-the-operating-system%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fact-as-part-of-the-operating-system%3C%2FA%3E'%20this%20right%20appears%20to%20be%20'extremely%20powerful'%20however%20I%20have%20been%20unable%20to%20determine%20whether%20it%20is%20any%20more%20(or%20less)%20powerful%20than%20assigning%20the%20service%20account%20to%20the%20Administrators%20group.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20advise%20whether%20the%20use%20of%20the%20permission%20'act%20as%20part%20of%20the%20operating%20system'%20is%20preferred%20to%20making%20the%20service%20account%20a%20member%20of%20the%20Administrators%20group%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-359942%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
chrispay
New Contributor

A business unit has requested a new SAP 'Business Objects' service account to achieve 'Integration of BI 4.x with Active Directory and SSO in Distributed Environments'.  The instructions for how to do this are contained in SAP KBA 262970.  Within this guidance is the instruction to assign the service account the permission to 'act as part of the operating system'.  According to the guidance this is a more specific setting than making the service account a member of the Administrators group (as recommended in an older blog).  Is this correct? 

 

Reading available online Microsoft documentation 'https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/act-as-...' this right appears to be 'extremely powerful' however I have been unable to determine whether it is any more (or less) powerful than assigning the service account to the Administrators group.  

 

Can anyone advise whether the use of the permission 'act as part of the operating system' is preferred to making the service account a member of the Administrators group?

 

 

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies