Skip to main content

Minimum rights for local Admin accounts

Questions

What are the minimum rights for a local account to do all of the functions required for the operation of the SecureAuth server? Is there a built-in group within Windows Server (local group) that can do this function? If not, what are the specific rights?

Answers

Any member of the local administrator can perform the standard management functions. Creation of an account for organization's management of SecureAuth could be easily configured and made functional as long as this account is a member of the local administrator's group. There are three relevant accounts on the SecureAuth Appliance. All of these accounts are members of the local administrator's group:

  • Administrator = Local Administrators account. Allows for RDP access as well as standard Server Management functionality. The password for this account can be changed / managed as needed. This account can be renamed at any time.

  • SecureAuth0 = This is a local service account which is a member of the local administrator's group. This account is configured as the identity of the SecureAuth0 Application Pool. This Application pool is used by the Web Admin console to manage / configure the other SecureAuth realms. The password for this account is randomly generated and can be changed / managed as needed.

  • svc-iisrepl-01 =This account is used if the appliances are configured as a synchronized set. The account is matched on participating appliances to allow the realm configuration files to be replicated between the appliances. If the SecureAuth appliance is a stand-alone appliance, this account is not used and can be disabled / deleted. The password for this account is randomly generated and can be changed / managed as needed.