Verify the Local Security Policy
After you specify a Run As service account in Tableau Services Manager (as described in the topic, Change the Run As Service Account), TSM will update the local security policy on the computer running Tableau Server. TSM will update the local security policy to give "log on as a service" and "log on locally" permissions to the Run As service account. This elevated policy is required because the Run As service account is used as the security context for the Tableau Server Application Manager service (tabsvc).
Note: If the Run As service account that you specify in TSM is a member of the local administrators or a domain administrator, then TSM may not update the local security policy. Updating the Run As service account with an account that is a member of local administrators or domain administrators is not a good security practice. We recommend using a domain User account for the Run As service account.
In some cases, you may need to manually set security policy for your Run As service account. For example, some organizations run Windows Group Policy that remove "Log on as a service" or "Allow log on locally" rights that have been set on user accounts. Or an organization may run a policy that creates a permission conflict by specifying "Deny log on as a service." If your organization does this, then you will need to disable or edit such Group Policies so that your Run As service account is not affected. For details on best practices when creating a Run As service account, see Creating the Run As service account.
The following procedure describes how to configure security policies, Log on as a service and Allow log on locally, manually. You can also use the procedure below to verify that your Run As service account is appropriately configured with local security policy rights. For example, you should verify that the Run As service account is not specified on the Deny log on as a service policy.
If you are running a distributed installation, then configuration must be the same across the initial and all additional nodes.
To verify or update the local security policy:
-
Select Start > Control Panel > Administrative Tools > Local Security Policy.
-
In Local Security Policy, open Local Policies, select User Rights Assignments.
To verify or set Log on as a service policy:
- Right-click Log on as a service policy and then click Properties.
- In Log on as a service Properties , click Add User or Group.
-
Type the
<domain>\<username>
for the Tableau Server Run As service account (for example:MYCO\tableau_server
), and click Check Names. - When the account resolves correctly, it is underlined. Click OK.
To verify or set Allow log on locally policy:
- Right-click Allow log on locally policy and then click Properties.
- Verify that the Run As service account is specified. If it is not, follow the procedure above to add the Run As service account.
To verify Run As service account is not specified in the Deny log on as a service policy:
- Right-click Deny log on as a service policy, and then click Properties.
- In Deny log on as a service Properties , verify that the Run As service account is not listed. If it is, remove it. When you are finished, click OK.
-
Click OK to close the Local Security Settings windows.