https://documentation.commvault.com/commvault/v11/article?p=111970.htm how do I identify or assign an account as service account in this context. “To prevent ransomware from encrypting the Commvault install folders, lock down those folders to only the Commvault service account and prohibit System Administrators from using that account unless absolutely necessary.You create the Commvault service account in the CommCell environment during the installation of the CommServe software. Only the Windows administrator account that is also the Commvault service account user should have access rights on the Commvault software installation folders.” under users I only see the commvault internal accounts and under the domain
Hey
We’re discussing this one internally. I think we can agree it is not worded very well. What its trying to say is, create a dedicated windows local user to run the software under and strip the commvault install folder of all other security except for that user. The goal is to try to limit exposure should another account be compromised on the system. It does not have anything to do with an actual commvault commcell/command center account although it's implied.
That being said, hold off on this recommendation, for now. We are evaluating it and will likely update the recommendation. Appreciate you pointing this out!
Thanks
Thanks Damian.
Hey
I tried to do this. I noticed on my CS that the drive/folders where CS is installed gave access to my AD/Domain Users group as well as my AD/Privileged Admins grtoup(my sysadmin team). I did not think that all the users in my domain should have access to this data, so I took that off. Then, I was unable to run the commcell console or drill into the Base directory. I had to log back in to the CS machine with my domain admin account to add the AD/Domain Users back. I do not know Windows sercurity/permissions well enough to know why the Windows drive/folder needs AD/Domain Users in addition to AD/Privileged Admins. I have an admin user in the Privileged Admins, and my non-admin user would be in Domain Users (however, perhaps ALL my users are in Domain Users).
I also have a commvault admin account in my AD, which was also in the CS Server’s Administrator group, which is probably also in the Domain Users.
So, whatever you do to ‘fix’ or reword this probably needs to consider AD/Domain Users role in allowing access to the installation directories.
So If I may have a question , after the software installation , lets say at the OS level . Is there no other activities the account will be used for example : during backup or refreshing the selection from the server.
Documentation says service account is recommended to have for Commvault folder and software installation. It didnt cover where are the service account is used within a backup infrastructure and what role does it play.
Please share some thoughts.
To answer your question directly, this account is used to access the protected content, which may be fine for the local service account, or might require another account to access.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.