Royal Server needs a valid Worker Account with the following properties to work.
The account
- is able to log on (e.g. you don’t need to change the password at next logon because of a policy)
- is in the local administrators group and
- has the right to log on as a batch job(which is new to V4). If the user is local administrator it includes the logon type as batch by default. You can check if this account has the permission in the Group Policy Editor (gpedit.msc) under:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignmentunder “Log on as batch job”. This right is typically included in the membership of the local Administrators group but might be changed by a domain group policy.
Royal Server jointed to a Windows Domain
In a domain environment additional rights are required. The worker account must be a **domain user (**if domain users or domain groups are added to the local Royal Server* groups), in order to be allowed to query group memberships on the domain controller.
By default, any authenticated domain user can query group memberships of other users and read attributes like memberOf, primaryGroupID, etc.
The relevant permissions on Active Directory objects are:
-
Read memberOf (for user objects)
-
Read Members (for group objects)
-
List contents (for containers/OUs)
which are controlled through Access Control Entries (ACEs) on Active Directory objects.
Issues can happen when using security tools like HardenAD: The default ACL that authorize every domain user to view memberof attributes of each user has been removed by HardenAD.
The solution is to add a delegation permission for the royal service account to view these attributes and now it’ s working. Do this for the Worker Account (if it is configured to run the Windows Service)