You are viewing limited content. For full access, please sign in.

Question

Question

Minimum rights and permissions for domain account used for Laserfiche service log on

Installation and Upgrades
Updated January 2, 2021
asked on November 4, 2015

I'm trying to verify a complete list of rights/permissions a domain account would need when Laserfiche Server service is configured to use a domain account without being a member of the local administrators group. 

 

Based on the available documentation and some manual review, it appears to be:

  1. Rights on the machine in question to log on as a service (which should automatically be granted when the LOG ON AS value is set to the domain account)
  2. NTFS FULL CONTROL permissions to c:\program files\laserfiche (and below) to read/write to configuration files, license files, named user database, etc.
  3. Apply https://support.laserfiche.com/kb/1012613
    1. netsh http add urlacl url=http://+:80/lf user=osds\laserfichetest
    2. netsh http add urlacl url=http://+:5053/ user=osds\laserfichetest
    3. netsh http add urlacl url=https://+:443/lf user=osds\laserfichetest
    4. This allows the user account to register the URL address space reservation for LF's usage of the httpsys API. 
  4. NTFS FULL CONTROL permissions to the Repository Path location.
  5. NTFS FULL CONTROL permissions to all LF VOLUME path locations.
  6. FULL CONTROL permissions to Registry key: HKLM\SOFTWARE\Laserfiche for repository creation, read/write of configuration/settings stored in the registry, etc. 

 

Does anyone see anything I'm missing?

 

2 0

Replies

replied on November 11, 2015 Show version history

Don't forget access to the repository database! It needs to be able to read and write into the database so I suggest making the service account a DB owner. You can also refer to the help files for more information.

2 0
replied on January 6, 2016

This is great information I have been looking for, but just stumbled upon.  It would be fantastic to have a summary like this for the entire suite of LF applications / services.  Thank you!

2 0
replied on April 23, 2018

The above still works just FYI in 10.3

I got scared when I was attaching the DB because if you click the server drop down it gives you an error about an account, but its a red herring. You need to type the SQL server name into that field, not sure the drop down.

 

if you make a mistake in 

netsh http add urlacl url=http://+:80/lf user=osds\laserfichetest

you can use

netsh http delete urlacl url=http://+:80/lf

to remove the bad config, before you can add it correctly again.

1 0
replied on January 2, 2021

Has anyone determined the minimum privileges that the Laserfiche service account must have on the SQL server? I tested de-escalating privileges and ran into errors running stored procedures. That was just the first obstacle we encountered. I am curious what else to expect.

I go into a little more detail on my related post. Thanks

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...