The Run As service account needs permissions that allows it to modify files and registry settings. In addition, because the Run As service account is used as the security context for the Tableau Server Application Manager service (tabsvc), the account must also be given rights to log on as a service.
These permissions are set automatically when you update the Run As service account in Tableau Server Configuration as described in the topic, Change the Run As Service Account.
If you have changed the Run As service account, then we recommend revoking the permissions for the previous account. See Revoke Run As Service Account Permissions.
The account you use for the Run As service account should not be a member of the Local Administrators or Domain Administrators account. Instead, we recommend using a domain user account that is not an administrator for the Run As service account. Using a domain account that is not a member of these administrator groups is a good security practice and can help avoid access to certain data sources and folders. For information on best practices when creating a Run As service account, see Creating the Run As service account.
If you have recently changed Run As service account or are getting permission errors, use this section to confirm that Tableau Server meets the permission requirements that are detailed here. If you're running a distributed installation, all Run As service account permission configurations must be the same across all nodes.
Note: Do not hide the files created by the Tableau Server installer.