I'm trying to verify a complete list of rights/permissions a domain account would need when Laserfiche Server service is configured to use a domain account without being a member of the local administrators group.
Based on the available documentation and some manual review, it appears to be:
- Rights on the machine in question to log on as a service (which should automatically be granted when the LOG ON AS value is set to the domain account)
- NTFS FULL CONTROL permissions to c:\program files\laserfiche (and below) to read/write to configuration files, license files, named user database, etc.
- Apply https://support.laserfiche.com/kb/1012613
- netsh http add urlacl url=http://+:80/lf user=osds\laserfichetest
- netsh http add urlacl url=http://+:5053/ user=osds\laserfichetest
- netsh http add urlacl url=https://+:443/lf user=osds\laserfichetest
- This allows the user account to register the URL address space reservation for LF's usage of the httpsys API.
- NTFS FULL CONTROL permissions to the Repository Path location.
- NTFS FULL CONTROL permissions to all LF VOLUME path locations.
- FULL CONTROL permissions to Registry key: HKLM\SOFTWARE\Laserfiche for repository creation, read/write of configuration/settings stored in the registry, etc.
Does anyone see anything I'm missing?