Service Account Permissions
    • Dark
    • PDF

    Service Account Permissions

    • Dark
    • PDF

    Article summary

    Required User Permissions for ControlUp Service Accounts

    Monitor Service Account

    This account must have Allow Log on as a Service, and for full functionality should have the Allow log on locally user right (and not the Deny log on locally user right). This should be set on all machines running the monitor service and is done under Windows Group Policy Management Settings in Local Policies/User Rights Assignment.

    The Allow log on locally option is needed for the following tasks that require impersonation (Local logon) when writing to the disk (local or remote):

    • To use the Export Schedule feature which writes a CSV file to disk.
    • To deploy agents to endpoints if the automatic agent deployment option is selected in the Real-Time Console. This is because the monitor acts as a UI-less console when deploying agents automatically.
    • For On-prem environments to write activity files to the disk.

    If you are sure you are not going to use any of these features and prefer not to Allow log on locally, you can assign Allow Log on as a Service. If you are not sure, set as recommended or contact

    Required User Permissions for Connecting to External Sources

    Connecting an external resource such as VMware vCenter or Citrix Hypervisor requires a user account that you already need to have set up on your managed endpoints. To deploy agents, this account needs to have local administrative privileges on all the endpoints being managed.


    The Read Only Administrator right to all farms that will be managed is sufficient for monitoring
    purposes. If you want to be able to use the built-in XenDesktop management features, then this
    account will require the following permissions:

    • Edit Application Group Properties
    • Edit Application Properties (Application Group)
    • Edit Delivery Group Properties
    • Edit Machine Catalog Properties

    Citrix Hypervisor

    If Active Directory authentication is enabled for the XenServer pool, then the Read-Only role is sufficient.

    VMware vCenter

    The Read-Only role is sufficient for all monitoring purposes.

    VMware Horizon

    The Read-Only role is sufficient for all monitoring purposes. If you want to be able to use the build-in
    Horizon actions, then the following permissions are needed:

    • Enable Farm and Desktop Pools
    • Manage Machine
    • Manage Sessions
    • Manage Global Sessions (Cloud Pod architecture only)

    Nutanix AHV

    The “Viewer” role is required to monitor the AHV clusters. If you wish to take maintenance actions,
    then the account will need “Cluster Admin”.

    Citrix ADC

    A service account will be needed to connect to each ADC appliance. This account only needs Read-Only rights to the appliances.

    Was this article helpful?