Service Account permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-359942%22%20slang%3D%22en-US%22%3EService%20Account%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359942%22%20slang%3D%22en-US%22%3E%3CP%3EA%20business%20unit%20has%20requested%20a%20new%20SAP%20'Business%20Objects'%20service%20account%20to%20achieve%20'Integration%20of%20BI%204.x%20with%20Active%20Directory%20and%20SSO%20in%20Distributed%20Environments'.%26nbsp%3B%20The%20instructions%20for%20how%20to%20do%20this%20are%20contained%20in%20SAP%20KBA%20262970.%26nbsp%3B%20Within%20this%20guidance%20is%20the%20instruction%20to%20assign%20the%20service%20account%20the%20permission%20to%20'act%20as%20part%20of%20the%20operating%20system'.%26nbsp%3B%20According%20to%20the%20guidance%20this%20is%20a%20more%20specific%20setting%20than%20making%20the%20service%20account%20a%20member%20of%20the%20Administrators%20group%20(as%20recommended%20in%20an%20older%20blog).%26nbsp%3B%20Is%20this%20correct%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReading%20available%20online%20Microsoft%20documentation%20'%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fact-as-part-of-the-operating-system%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fact-as-part-of-the-operating-system%3C%2FA%3E'%20this%20right%20appears%20to%20be%20'extremely%20powerful'%20however%20I%20have%20been%20unable%20to%20determine%20whether%20it%20is%20any%20more%20(or%20less)%20powerful%20than%20assigning%20the%20service%20account%20to%20the%20Administrators%20group.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20advise%20whether%20the%20use%20of%20the%20permission%20'act%20as%20part%20of%20the%20operating%20system'%20is%20preferred%20to%20making%20the%20service%20account%20a%20member%20of%20the%20Administrators%20group%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-359942%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
New Contributor

A business unit has requested a new SAP 'Business Objects' service account to achieve 'Integration of BI 4.x with Active Directory and SSO in Distributed Environments'.  The instructions for how to do this are contained in SAP KBA 262970.  Within this guidance is the instruction to assign the service account the permission to 'act as part of the operating system'.  According to the guidance this is a more specific setting than making the service account a member of the Administrators group (as recommended in an older blog).  Is this correct? 

 

Reading available online Microsoft documentation 'https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/act-as-...' this right appears to be 'extremely powerful' however I have been unable to determine whether it is any more (or less) powerful than assigning the service account to the Administrators group.  

 

Can anyone advise whether the use of the permission 'act as part of the operating system' is preferred to making the service account a member of the Administrators group?

 

 

0 Replies