Connector Server Service Account

By default, the connector server runs as the local System account. This is configurable through the Services MMC Snap-in.

If you run the connector server as an account other than Local System, then connector server service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.

Most of the management of AD is done using the administrative account specified in the resource. However, some operations are done as the connector server service account. This means that the connector server service account must have the appropriate permissions to perform these operations. Currently, these operations are:

• Creating home directories

• Running actions (including before and after actions)

When performing before and after action scripts, the connector server may need the Replace a process level token right. This right is required if the connector server attempts to run the script subprocess as another user, such as the resource administrative user. In this case, the connector server process needs the right to replace the default token associated with that subprocess.

If this right is missing, the following error may be returned during subprocess creation:

"Error creating process: A required privilege is not held by the client"

The Replace a process level token right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. To set this right on a system, open the Local Security Policies application within the Administrative Tools folder, then navigate to Local Policies > User Rights Assignment > Replace a process level token.