Running BES Services as domain users without local administrator rights

DerrickD 2021-01-12 19:45:34 UTC #1

Our BigFix v10 environment runs on Windows 2019 using Active Directory service accounts and off box SQL. To increase security through least privilege, I was attempting to lower the BigFix application service account from local administrators to local users (open to using other local groups if needed). This works fine for the off box SQL, but for BigFix masters, some services will not start as local user. Of course, running as local admin works perfectly fine.

Services that will start as domain\username in Local users
GatherDB
BESWebUI

Services that fail to start as domain\username in Local users
FillDB
BESRootServer
BESWebReportsServer

Anyone have documentation, root cause ideas, or knowledge of required changes to address and/or potential issues we will have even we solve running as local user?

JasonWalker 2021-01-12 21:44:27 UTC #2

I don’t know that we support such a configuration, and haven’t tried it myself.
At minimum you’d have to grant the account write permissions to the install paths under Program Files (x86), and the Registry paths – by default, standard Users can’t write to any of those.

I’m afraid you’re in for a trial of finding and updating permissions on a lot of paths that are writable by Administrators but not by standard Users.