In Support, and in Professional Services, best practice is to manually set most of our services to use the SSAdministrator account so that permissions are directly assigned without passing through a medium. Most of these services should be set properly to the SSAdministrator user during installation, but oftentimes due to permissions issues, some of these services do not get set.
There are, however, some services that we do not typically assign the SSAdministrator privilege explicitly. Oftentimes services such as GlobalAction/GlobalCapture are left to run as Local System as well as MongoDB. From a Windows perspective, these services will use a restricted local account with some system privileges. These are listed in the services.msc console as “Local System”.
However, when the API is being called by said service, the account called to run that account is referenced through the AdminAuthenticationSettings.xml in C:\GetSmart. This account is set by Service Console – oftentimes the domain SSAdministrator. (This is why it’s often a good idea to run Service Console in the event that GlobalAction/GlobalCapture is running strangely. This will solidify the relationship between the service account and the service itself.)
Service Console is a helpful utility to help set all of your GlobalSearch services to use a single service account all at once. You can use this console window to stop and start your services, as well as set the service account. Additionally, it will modify all XML forms necessary to pass service account data through services that are run by default by local system (IE - GlobalCapture and GobalAction.)
Service Console can be found in v4.1 and up and is located in the GetSmart Directory
This is crucial to the proper functioning of services like Global Action. If, for example, a user is secured and can create and modify GA initiator services BUT the service account referenced in the square9webauth.dll cannot see said search (IE – is not secured) that service will not function correctly.
Things to be aware of
- GlobalAction and GlobalCapture can both run comfortably as Local System and as a secured user – we typically run this service in whatever way is most stable
- If GlobalCapture is using UNC paths to 'hot folder', the service cannot run as LocalSystem. The GlobalCapture service needs to run as a user with permission to access those folders.
- You can tell if Service Console has set the credentials correctly by checking the last-modified date of the AdminAuthenticationSettings.xml in your Getsmart directory
- Services will require a restart for new authentication credentials to take effect
Please Be Advised
SSDP Discovery’ is a Windows Service. You should not change this service to run as SSAdministrator