Changing the logon account on Windows machines
On the Select components screen, define the account under which the services will run by specifying Logon account for the agent service. You can select one of the following:
-
Use Service User Accounts (default for the agent service)
Service User Accounts are Windows system accounts that are used to run services. The advantage of this setting is that the domain security policies do not affect these accounts' user rights. By default, the agent runs under the Local System account.
-
Create a new account
The account name will be Agent User for the agent.
-
Use the following account
If you install the agent on a domain controller, the system prompts you to specify existing accounts (or the same account) for the agent. For security reasons, the system does not automatically create new accounts on a domain controller.
The user account that you specify when the setup program runs on a domain controller must be granted the Log on as a service right. This account must have already been used on the domain controller, in order for its profile folder to be created on that machine.
For more information about installing the agent on a read-only domain controller, see this knowledge base article.
If you chose the Create a new account or Use the following account option, ensure that the domain security policies do not affect the related accounts' rights. If an account is deprived of the user rights assigned during the installation, the component may work incorrectly or not work.
Privileges required for the logon account
A protection agent is run as a Managed Machine Service (MMS) on a Windows machine. The account under which the agent will run must have specific rights for the agent to work correctly. Thus, the MMS user should be assigned the following privileges:
- Included in the Backup Operators and Administrators groups. On a Domain Controller, the user must be included in the group Domain Admins.
- Granted the Full Control permission on the folder
%PROGRAMDATA%\Acronis
(in Windows XP and Server 2003,%ALLUSERSPROFILE%\Application Data\Acronis
) and on its subfolders. - Granted the Full Control permission on certain registry keys in the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Acronis
. -
Assigned the following user rights:
- Log on as a service
- Adjust memory quotas for a process
- Replace a process level token
- Modify firmware environment values
How to assign the user rights
Follow the instructions below to assign the user rights (this example uses the Log on as service user right, the steps are the same for other user rights):
- Log on to the computer by using an account with administrative privileges.
- Open Administrative Tools from Control Panel (or click Win+R, type control admintools, and press Enter) and open Local Security Policy.
- Expand Local Policies and click on User Rights Assignment.
- In the right pane, right-click Log on as a service and select Properties.
- Click on the Add User or Group… button to add a new user.
- In the Select Users, Computers, Service Accounts, or Groups window, find the user you wish to enter and click OK.
- Click OK in the Log on as a service Properties to save the changes.
Ensure that the user which you have added to the Log on as service user right is not listed in the Deny log on as a service policy in Local Security Policy.
Note that we recommend that you do not change logon accounts manually after the installation is completed.