Service accounts

Shopping Central service account

  • Must be a domain account with local admin rights on the Shopping server.

  • Must have NTFS security:

    • Read and execute permissions on the Shopping program files installation folder.

    • Full permissions to the Shopping log folders.

    • The above will be automatic if Shopping is installed using default locations on a default installation of Windows.

    • The above security permissions are particularly relevant if you use non-default installer properties INSTALLDIR or LOGPATH.

  • We recommend restricting the account with Deny logon locally.

  • Must be a member of the Shopping Configuration Manager Database Access (SHOPPINGCONSOLESMSUSERS) group. If the Shopping Central installer account has permissions to add accounts to this group, then it will automatically add the account to the group during installation.

Object Security requirements

Access to the Shopping Central database

The Shopping Central service requires access to the Shopping database. Db_owner permissions are automatically configured during installation of Shopping Central.

Access to the SCCM Site’s SMS Provider

The Shopping Central service requires read-write access to the “SMS Provider” on the SCCM CAS.

During installation of Shopping Central, the installer adds the necessary permissions in the SCCM Admin Console.

Access to the SCCM Site’s database

During installation of Shopping Central, the installer adds the necessary permissions in the SCCM Central SQL database in order for the service to function.

During installation of Shopping Central, the MSI installer adds the necessary permissions in the SCCM Admin Console, but must be added to the local “SMS Admins” group separately.

If the SQL Server is using a non-standard port, the SMSDBPORT switch must be specified during installation, or a SQL Alias used.

SMTP service

The Shopping Central service must be capable of creating mails at the attached SMTP mail gateway or service.

If the SMTP gateway is configured to reject mail from a non-existent sender address, then it is necessary to configure the Shopping service account with an email address.

AD integration groups

The Shopping Central service requires write access to Shopping “AD Integration” groups.

Access rights can be achieved by granting the Shopping Central service account, or an AD group it is a member of, using either of the following methods, or a mixture.

  • grant AD permissions to individual AD security groups

  • grant AD permissions on an OU containing AD Security Groups, and enable the Shopping Admin Console setting Allow Implicit Access For AD Integration.

Local Server NTFS

The Shopping Central service has requires NTFS “read” access to the Shopping install folder and “modify” access to the log file folders. This is achieved using the “Users” local group.

Shopping Receiver service account

If you use Shopping's ConfigMgr integration, you will need at least one Shopping Receiver.

  • Each Receiver needs a service account, which can be either a dedicated or shared domain user account or Network Service.

  • We recommend restricting the account with Deny logon locally.

  • The Receiver is installed on each ConfigMgr Site server, and the service account must have local admin rights on the Site server.

    • At the very least, it must have read access to the binaries and full permissions to the Receiver log folders.

    • If you upgrade the Shopping Receiver with a different service account, it must have Read/Write permissions to %sysdrive%Programdata/1E or ~All Users/1E.

  • Must have permissions in the Configuration Manager Console and its SQL database, depending on the version of Configuration Manager, as described above in Microsoft Endpoint Configuration Manager requirements.

  • Installation of Shopping Central requires details of the Receiver service account or an AD Security group containing Receiver service accounts, so that Receivers can access the Central web service:

    • A shared service account can be used if all Receivers use the same account, and an AD group is not required.

    • A domain security group must be used if each Receiver has its own service account or uses Network Service, which must be members of this group.

    • We recommend using a domain security group if other services need access to the Central web service. For example if Shopping API scripts are used by OSD Task Sequences, then the group should include the Configuration Manager Network Access account. This security group should be Universal, but can be global if only one domain is involved.

      A key design decision is whether Shopping Receivers should use a single shared service account, individual service accounts, or Network Service. Either way, to allow new accounts to be added or existing accounts to be changed more easily, we recommend you include the Receiver accounts in an AD Security Group and use this group when granting access to each of the following:

      • Administrators localgroup on the local Configuration Manager site server where the Receiver will be installed.

      • Configuration Manager security role as described above in Microsoft Endpoint Configuration Manager requirements.

      • In the Shopping Central installer's Service Account screen.

Object Security requirements

Access to Shopping Central Web Services

The Shopping Receiver services connect to the Shopping Central Web Site using HTTP and are validated against the (RECEIVERACCOUNT) account/group specified during installation of the Shopping Central.

Using a group is recommended in order to simplify configuration and grant access to necessary objects. This is described in section 3.7.9 below.

Access to the associated SCCM Site’s SMS Provider

The Shopping Receiver service requires read-write access to the “SMS Provider” on the associated SCCM Site servers. This is achieved by creating a “1E Shopping Receivers” role for the (RECEIVERACCOUNT) group.

Access to the associated SCCM Site’s SQL Server

During installation of Shopping Receivers, the installer grants db_datareader permissions in the SCCM SQL database in order for the Receiver service to function.

If the SQL Server is using a non-standard port, the SMSDBPORT switch must be specified during installation, or use a SQL Alias instead.

Local Server NTFS

The Shopping Receiver service has requires NTFS “read” access to the Shopping install folder and “modify” access to the log file folders. This is achieved using the “Users” local group.