8MAN service account permissions

<< Display table of contents >>

Navigation:  Start > Install & Config > System requirements >

8MAN service account permissions

We recommend using service accounts (dedicated user accounts for 8MAN). This ensures that:


the access rights of the service accounts are used by 8MAN, for example Active Directory read only without change rights

it is easy to identify whether an action was performed by 8MAN or by a domain admin

if the domain admin changes his password, the 8MAN configuration is not affected

Avoid restrictions through activity limits (for example, Exchange Online allows only three parallel requests).


This approach allows for more detailed concepts by using several service accounts. In general, the more service accounts, the better you can fine tune and keep track of access rights. Please note that more detailed concepts generally also require more administrative efforts. The most basic concept only required one service account whom all required access rights are assigned to.

For 8MAN service accounts, please be sure to activate the option "Password never expires".



required access rights

8MAN server

The service account requires local administrator rights on the 8MAN server.

Is the service account is a member of the domain Admin group, then this requirement is automatically fulfilled. If a server computer becomes a member of the domain (domain join) then the group Domain Admins will become a member of the local administrator group.

SQL Server

The 8MAN setup requires the role "dbcreator" on the SQL server. If you create a data base before, then 8MAN requires the role "dbowner". You can work with either Windows or SQL-server authorization.

Active Directory (AD)-Scan

Every user account requires at least read-only rights in order to be able to generate an AD scan.

If you utilize delegation in your organization, then you must add the service account to a group that can read the required OUs.

AD Modify (8MAN Enterprise)

If you work with delegation in your company, you must assign the service account to a group that is allowed to change the relevant OUs.

Without delegation: The service account becomes a member of the Domain admin group.

File Server (FS)-Scan

The user account requires access rights in order to be able to read NTFS permissions as well as traverse folder so that it can access the required folders. The service account can become a member of the domain admin group. If the domain admin account does not have access to all folders (for example user folders) then add the service account to the backup operators on the file server.

AD Logga

The service account must be a member of the group "event log reader". Members of the domain admin group also have the required access rights to be able to read event protocols.

FS Logga

No service account is required for the FS-Logga functionality. The "NT Authority system" must have access to the monitored directories. You can find more information regarding required settings in the FS Logga handbook.

8MATE Exchange

To read exchange access rights please add the service account to the group "View-Only Organization Management".

To be able to change access rights on the Exchange server please add the service account to the group "Organization Management" (read only rights are included).

The service account requires admin rights on the collector server.

Further access settings (impersonation, own mailbox) may be required and are contained in the section  "Exchange Scans".

8MATE SharePoint

The service account must be a member of the group "local adminstrator" of the SharePoint server.

The service account must be a member of the SharePoint farm administrator group.

The service account requires the special access right "SharePoint_Shell_Access" and must be a member of the local group "WSS_Admin_WPG".

The service account requires "full access" to run the web interface.

Further access settings are required (Authorization of the SharePoint data base, which is further described in the SharePoint handbook.

8MATE SharePoint (site collection)

The required permissions are described in chapter Accounts for a SharePoint scan via Remote Connector.

8MATE Exchange Logga

The logon account must be a member of the Organization Management and Records Management roles on the selected Exchange Server.