It’s good security practice to limit the permissions granted to accounts. Below, you’ll find the minimum permissions needed to install different components of Barracuda RMM, to let you identify the best options for your sites.
How the MWService account is created in Domain environments
In Domain environments, the MWService account is created when you install the Onsite Manager.
The MWService account is automatically added to the following groups:
Local Administrators
Domain Admins
Enterprise Admins
How the MWService account is created in Workgroup environments
In Workgroup environments, the MWService account is created when you run the Windows Site Prep Utility.
The MWService account is automatically added to the following groups:
Local Administrators
Enterprise Admins
Basic permissions
While the table below outlines the basic permissions needed to install each RMM component, more complicated options are available in the Permissions for new sites and Permissions for existing sites sections below.
To install… | In this environment… | The MWService account needs these rights… |
|---|---|---|
Service Center | Domain or Workgroup |
NOTE A Windows account with admin rights on the Reporting server is needed for reporting. |
Device Managers | Domain or Workgroup |
NOTE NT AUTHORITY\Local System is used. |
Onsite Managers | Domain |
|
Workgroup |
|
Permissions for new sites in Domain environments
When creating new sites in Domain environments, no permissions are needed to install either Service Center or Device Managers. Installing Onsite Manager requires that the MWService account belongs to one of the following groups:
Domain Admin, or
Local Administrators. However, if you use the local Administrators group, you must run the Windows Site Prep Utility on each device before installing Onsite Manager.
For information on running the Windows Site Prep Utility, see Deploying Onsite Manager within a Domain.
Permissions for new sites in Workgroup environments
When creating new sites in Workgroup environments, the MWService account doesn’t require any permissions to install either Service Center or Device Managers. Installing Onsite Manager requires that the MWService account belong to the following group:
Local Administrators. You must also run the Windows Site Prep Utility on each device before installing Onsite Manager.
For information on running the Windows Site Prep Utility, see Deploying Onsite Manager within a Domain.
Permissions for existing sites
If you want to limit administrator rights for existing sites, your options depend on the environment of the site.
Onsite Manager in Domain environments
If Onsite Manager is installed on a Domain environment, the MWService account has already been added to the Domain Administrators group. For information on removing MWService from Domain Admins, see Removing MWService from the Domain Administrators group below.
Onsite Manager in Windows Workgroup environments
To install Onsite Manager on a site in a Windows Workgroup environment, the MWService account must be added to the local Administrators group. To do this, run the Windows Site Prep Utility on all managed devices. The utility automatically creates the MWService account and adds it to the local Administrators group.
For more information on running the Windows Site Prep Utility, see Deploying Onsite Manager within a Domain.
Removing MWService from the Domain Administrators group
If you want to remove the account from the Domain Admins group, but leave it in the local Administrators group, for an existing site, you can add MWService to the local Administrators group on each device individually by performing the following steps:
Manually remove the MWService account from the Domain Admins group.
Run the Windows Site Prep Utility on all existing managed devices. When devices are added, you must run the Windows Site Prep Utility on each new device. The Windows Site Prep Utility adds the MWService account to the local Administrators group.
Removing MWService from all Administrators groups (Domain and Local)
You can remove MWService from all Administrator groups for an existing site (Domain and Local) two different ways:
Option One: Use this option if Onsite Manager is installed on the site:
Install Device Manager on all devices in the site.
Do one of the following
Manually remove MWService from the Domain Admin group.
Delete MWService.
Remove the Onsite Manager from the site by following the Uninstalling Onsite Managers procedure in https://campus.barracuda.com/doc/171942299/.
When devices are added, download the Device Manager from the site and install it on them.
Option Two: Use this option if Onsite Manager is not installed in the site:
Download the Device Manager from the site and install it on all Managed Devices.