Using a domain service account for the internet control module (on Windows platforms)
Last modified on 24 November 2010 03:46 PM

Using a domain service account for the internet control module (on Windows platforms)

If the Internet Control Module is enabled then PaperCut will need to install a system service running with additional privileges. The internet control configuration wizard will request a username and password for an account with the required additional privileges. For the simplest setup we recommend adding a new administrator account with the password set to "never expire".

The service does not require "Administrator" level access. By default we recommend creating an account with administrator level access as this guaranteed to work with every network setup. Strictly speaking you can get away with less if you know what you’re doing. The service account requires at a minimum:

  1. Logon as a service rights
  2. Read-write access to files in the installation directory
  3. Read access to the proxy server logs
  4. Rights to Modify the membership of a group on the nominated internet control group specified during the configuration wizard

These rights can be delegated to the selected account to avoid the need for full domain administrator access.

It’s also worth mentioning that we do our best to minimize the amount of code running under the privileged account. We use the notion of privilege separation and confine the code that does not require escalated access. PaperCut does this by installing two services each running under different rights. Most operations such as the print monitoring, automatic quota allocation and maintenance tasks run under the SYSTEM account, while the net charging/quota code that needs to move users in and out of the nominated group runs under the privileged service account.