Contents x
    Service Account Permissions
      • Print
      • Dark
        Light
      • PDF
      Contents

      Service Account Permissions

        • Print
        • Dark
          Light
        • PDF
        Article Summary

        Required User Permissions for ControlUp Service Accounts

        Monitor Service Account

        This account must have Allow Log on as a Service, and for full functionality should have the Allow log on locally user right (and not the Deny log on locally user right). This should be set on all machines running the monitor service and is done under Windows Group Policy Management Settings in Local Policies/User Rights Assignment.

        The Allow log on locally option is needed for the following tasks that require impersonation (Local logon) when writing to the disk (local or remote):

        • To use the Export Schedule feature which writes a CSV file to disk.
        • To deploy agents to endpoints if the automatic agent deployment option is selected in the Real-Time Console. This is because the monitor acts as a UI-less console when deploying agents automatically.
        • For On-prem environments to write activity files to the disk.

        If you are sure you are not going to use any of these features and prefer not to Allow log on locally, you can assign Allow Log on as a Service. If you are not sure, set as recommended or contact support@controlup.com.

        Required User Permissions for Connecting to External Sources

        Connecting an external resource such as VMware vCenter or Citrix Hypervisor requires a user account that you already need to have set up on your managed endpoints. To deploy agents, this account needs to have local administrative privileges on all the endpoints being managed.

        CVAD

        The Read Only Administrator right to all farms that will be managed is sufficient for monitoring
        purposes. If you want to be able to use the built-in XenDesktop management features, then this
        account will require the following permissions:

        • Edit Application Group Properties
        • Edit Application Properties (Application Group)
        • Edit Delivery Group Properties
        • Edit Machine Catalog Properties

        Citrix Hypervisor

        If Active Directory authentication is enabled for the XenServer pool, then the Read-Only role is sufficient.

        VMware vCenter

        The Read-Only role is sufficient for all monitoring purposes.

        VMware Horizon

        The Read-Only role is sufficient for all monitoring purposes. If you want to be able to use the build-in
        Horizon actions, then the following permissions are needed:

        • Enable Farm and Desktop Pools
        • Manage Machine
        • Manage Sessions
        • Manage Global Sessions (Cloud Pod architecture only)

        Nutanix AHV

        The “Viewer” role is required to monitor the AHV clusters. If you wish to take maintenance actions,
        then the account will need “Cluster Admin”.

        Citrix ADC

        A service account will be needed to connect to each ADC appliance. This account only needs Read-Only rights to the appliances.

        Was this article helpful?
        What's Next