How to run the Symantec Mail Security for Microsoft Exchange (SMSMSE) service account as LOCAL SYSTEM instead of a Windows domain account on Exchange 2010 Mailbox role or an 2013/2016 Exchange Server
Last Updated October 09, 2018
During installation of SMSMSE on an Exchange 2010 server with the Mailbox role or an Exchange 2013/2016 server, the installer prompts for a Windows service account. The installer configures the Windows service Symantec Mail Security for Microsoft Exchange to run as this service account. Some organizations do not want to run Windows services as domain accounts for security reasons or because of Windows Domain password reset requirements.
NOTE: Installing SMSMSE on an Exchange server without the Mailbox role does not require a Windows service account. The SMSMSE services run as LOCAL SYSTEM.
Use the following steps to configure the SMSMSE service to run as the LOCAL SYSTEM account:
1. Ensure SMSMSE is installed correctly and entering a Windows domain account when prompted by the SMSMSE installer. 2. Give the LOCAL SYSTEM account Exchange Application Impersonation permission to the Exchange Mailbox.
Open the Exchange Management Shell and use the following command:
The following screenshot shows an example with the computer name WINDOWS2008-0:
3. Confirm DWORD value "IsUsingLocalSystemAccount" is created in the registry.
a. Open the registry editor (Start>Run>regedit.exe) b. Navigate to: SMSMSE 7.9.x or newer: HKLM\SOFTWARE\Symantec\SMSMSE\<version>\Server SMSMSE 7.5.x or earlier: HKLM\SOFTWARE\Wow6432Node\Symantec\SMSMSE\<version>\Server c. In the right-pane locate "IsUsingLocalSystemAccount" and confirm the value is 1 d. If the value does not exist. Create a new DWORD value "IsUsingLocalSystemAccount" and set value to 1 e. Close the registry editor.
4. Set the windows service SMSMSE to run as the LOCAL SYSTEM account.
a. Open the services control panel. b. Right click on the service Symantec Mail Security for Microsoft Exchange and select Properties. c. Click on the Log on tab. d. Select the Local System account radio option. e. Click the OK button.
5. Restart the windows service Symantec Mail Security for Microsoft Exchange. 6. Remove the original Windows service account used from the Exchange Organization Management group.
a. Open the Active Directory Users and Computers MMC (Start|Administrative Tools|Active Directory Users and Computers). b. Click the tree item Active Directory Users and Computers|<domain name>|Microsoft Exchange Security Groups to display the Exchange security groups (<domain name> is the name of the Active Directory domain). c. Double click the group Organization Management to display the Organization Management group properties. d. Click the Members tab to display the users in the group. e. Click the Windows service account used for the SMSMSE installation and click the Remove button. f. Click Yes at the confirmation dialog. g. Click OK to close the Organization Management group properties.