Service logon account

You can change the account under which the agent or the management service will run by using the Logon account for the agent service and Logon account for the management server service options, respectively.

You can choose one of the following options:

• Use Service User Accounts (default for the agent service)

  Service User Accounts are Windows system accounts that are used to run services. The advantage of this option is that the domain security policies do not affect the user rights of these accounts. By default, the agent runs under the Local System account.

• Create a new account (default for the management server service and the storage node service)

  The account names are Acronis Agent User, AMS User, and ASN User for the agent, management server, and the storage node services, respectively.

• Use the following account

  If you install the product on a domain controller, the setup program prompts you to specify existing accounts (or the same account) for each service. For security reasons, the setup program does not automatically create new accounts on a domain controller.

  The user account that you specify when the setup program runs on a domain controller must be granted the Log on as a service right. This account must have already been used on the domain controller, in order for its profile folder to be created on that machine.

  For more information about installing the agent on a read-only domain controller, see this knowledge base article.

  Also, selecting Use the following account allows you to use Windows authentication for Microsoft SQL Server if you configure the management server with a SQL database.

If you chose the Create a new account or Use the following account option, ensure that the domain security policies do not affect the rights of the related accounts. If an account is deprived of the user rights that are assigned during the installation, the related component may work incorrectly or may not work.

Required user rights for the service logon account

A protection agent runs as Managed Machine Service (MMS) on a Windows machine. The account under which the agent runs must have the following rights for the agent to work correctly:

1. The MMS user must be included in the Backup Operators and Administrators groups. On a domain controller, the user must be included in the Domain Admins group.
2. The MMS user must be granted the Full Control permission on folder %PROGRAMDATA%\Acronis (in Windows XP and Server 2003, %ALLUSERSPROFILE%\Application Data\Acronis) and on its subfolders.
3. The MMS user must be granted the Full Control permission on certain registry keys in the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Acronis.

4. The MMS user must be assigned the following user rights in Windows:

   • Log on as a service
   • Adjust memory quotas for a process
   • Replace a process level token
   • Modify firmware environment values

The ASN user must have local administrator rights on the machine where Acronis Storage Node is installed.

To assign user rights in Windows

1. Log in to the computer as administrator.
2. In Control Panel, open Administrative Tools. Alternatively, press Win+R on the keyboard, type control admintools, and then press Enter.
3. Open Local Security Policy.
4. Expand Local Policies, and then click User Rights Assignment.
5. In the right pane, right-click Log on as a service, and then select Properties.
6. Click Add User or Group… to add a new user.
7. In the Select Users or Groups window, find the user you want to add, and then click OK.
8. In the Log on as a service Properties window, click OK to save the changes.