Control Compliance Suite (CCS) has a requirement for the service account to have the logon locally permission.
You want to remove this requirement so that the service account does not require the logon locally permission.
If you select the Use Windows NT Integrated Security option to connect to the CCS Databases, the following components of Control Compliance Suite impersonate the Symantec Application Server Service account to connect to a database:
CCS manager in Data Evaluation role
CCS manager in Reporting role
CCS manager in External Data Connector role
For this user impersonation, the AllowLog on Locally permission is required. As per the industry best practices, the Log on Locally permission on a service account is not recommended. The customer requirement is to remove the dependency on the Log on Locally permission.
Apply this fix to meet the customer requirement. In this fix, the dependency on the Log on Locally permission in user impersonation is removed.
For this fix to work, follow these steps:
Upgrade your Control Compliance Suite deployment from v12.0 to v12.0.1
Apply QF 10104 and then this fix.
Remove the Log on Locally permission assigned to the Symantec Application Server Service account.
Assign the Log on as a batch job permission to the Symantec Application Server Service account in a local policy or a group policy
Following are details regarding Quick fix:
Prerequisite: Before you apply Quick fix, make sure that you have installed CCS 12.0.1 with SCU 2017-3 and QF 10104 (Assembly Verifier fix).
Quick fix Contents: Following binaries are included in this: