Grant Domain Privileges With a Service Account

By default, the EDM Server service runs under the SYSTEM account of the computer. This works well in simple environments.

But it does not work in more complex environments such as:

Meridian user accounts synchronized with Active Directory
Meridian integrated with SQL Server or Oracle hosted on other computers
Meridian PowerWeb or stream files located on other computers
Meridian integrated with Publisher or Meridian Explorer

In environments like these, the EDM Server service must have access to those computers, which the SYSTEM account does not. Instead, the EDM Server service must run under a different account that does have access to those computers. We recommend that you configure the EDM Server service to use a domain account with sufficient permissions to access those computers depending on the required resources. For example, to access stream files (document content) stored on a separate file server, the EDM Server service account will need Read and Write permissions to the stream folders on the file server. In addition to the particular resource requirements of the server type being accessed, the EDM Server service account needs the Log on as a service security policy for the domain.

This solution involves creating a dedicated account for the Meridian services to run under and granting that account the domain privileges needed. This solution is preferred by domain administrators when the privileges should be as restricted as possible.

Create Service Account

Important!

For some Meridian application servers this service account user must also be a local administrator. If Meridian Enterprise Server is configured to run as a service on the Publisher Server PC, then:

On the Publisher Server PC (a node), the windows account used by Meridian must be added to the Administrator's group.
On the Enterprise Server PC (a primary node), the Publisher local user account must be added to the Administrator's group.

Learn more about Meridian Enterprise Server Clusters.

You can also configure Meridian Enterprise Server to not run as a service. If you do this, then the Publisher local user should be added to the administrator's group on the Enterprise Server PC.

See the Non-Admin Service Accounts section below to learn how to create non-admin service accounts and what limitations they have.

To create the service account:

In Active Directory, create a new user named BC Meridian Server Service (or similar).

The account should be a domain user. By default, this account is set as the rescue account as described in Create a Rescue Account For Security Administration.
Add the account to the following policies on the Meridian application server:
- Log on as a batch job
- Log on as a service
Give the account full control over the following folders:

If everyone has access to a folder, you do not need to change the access for that folder.
- \BC-Meridian Vaults
- \BC-WorkSpace
- \inetpub\AMM
- \inetpub\PowerWebAPI
- \inetpub\Tags
- \inetpub\WhereUsed
- \inetpub\wwwroot\BCSiteCache
- \inetpub\wwwroot\BCSiteCacheClient
- \inetpub\wwwroot\BCEnterprise
- \inetpub\wwwroot\M360.Meridian
- \BC-Meridian Extensions
- \ProgramData\BlueCieloECM
- \SiteCachePreloadFolder
  
  This is a manually created preload folder on the Site Cache server.
Give the account full control over the following registry branches on the Meridian application server:
- HKEY_CURRENT_USER\SOFTWARE\Cyco
- HKEY_LOCAL_MACHINE\SOFTWARE\Cyco
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cyco
In Active Directory, add the account to the built-in Pre-Windows 2000 Compatible Access group.

This grants the required privileges to the server's SYSTEM account. In an Active Directory environment, changing the account under which the AutoManager EDM Server service runs will also require you to add the account to the Pre-Windows 2000 Compatible Access group of the domain, unless the new account is also a domain administrator account.

If the account is not a domain administrator and the account is not added to the Pre-Windows 2000 Compatible Access group, strange security behavior will occur in the vault because the new account will not be granted access to query domain user accounts and group membership.

Note:
If Meridian users reside in multiple domains in an Active Directory forest, you must do this for every domain in which the users reside.
In Active Directory, verify that the account is a member of the Distributed COM Users group or of a group that is a member.
Choose between two options:
- Enter this account name when prompted during Meridian Enterprise server installation as described in Install the Server Components.
- If the Meridian Enterprise server components are already installed, in Computer Management on the Meridian application server, edit the properties of the AutoManager EDM Server service and set the logon credentials to the name and password created in step 1.
Restart the Meridian application server.

We recommend that you specify this same account for all of the uses in your environment that are listed in Service Account Usage.

Non-Admin Service Accounts

It is possible to use a non-admin service account, but you must reserve specified URLs for the Meridian Service Account on the 8686 server port and the listener on the 40865 server port. This is required for all Meridian Enterprise Server services of any of the PCs in your configuration. Reserving these URLs is necessary because the Meridian Service Account is working with non-admin rights in the system.

In this scenario, the account:

is a standard domain account
is only a member of the Domain Users AD group
does not belong to the Administrator's group of any of the PCs in the configuration

If Meridian Enterprise Server is NOT started as a service on the Publisher Server PC, then the Meridian Service Account MUST be added to the Administrator group on this PC.

To create a non-admin service account:

Access the Enterprise Server and Publisher Server machines.
Follow the Create Service Account procedures above.
Download this zip file.
Extract the Reserve URL MSA.ps1 script.
Disable and stop the Meridian Enterprise Server service.
Navigate to C:\Program Files\BC-Meridian\Enterprise Server\ on your computer.
Open a command window as an administrator from the folder.
Type the following command in the window.
```
BlueCieloECM.EnterpriseService.exe /c
```
Press Enter on your keyboard.

The command processes.
Start PowerShell as an Administrator.
Run the Reserve URL MSA.ps1 script you extracted in step 4.

The parameters in this script are:
- MSA – meridian service account in format: domainname\username.
- Server – enterprise server.
- ESService – all available services.
- UrlOFF – this is a switch argument. If presented, reserved URLs will be deleted from the system.
  
  This argument is used when you want to roll back changes made to the system by the script.
This script may fail for some of the services – this is a known issue.
To check the result of the script:
1. Type the following command in PowerShell:
```
netsh http show urlacl
```
2. Press Enter on your keyboard.
Close PowerShell.
Close the command window.
Re-enable and start the Meridian Enterprise Server service.
Restart all Meridian machines.

Grant Domain Privileges With a Service Account

Create Service Account

Non-Admin Service Accounts

Rate this topic: