Verify the Local Security Policy
After you specify a Run As User account in Tableau Server Configuration (as described in the topic, Create and Update the Run As User Account), a background process (tabconfig) will update the local security policy on the computer running Tableau Server. Tabadmin will update the local security policy to give "log on as a service" permissions to the Run As User account. This elevated policy is required because the Run As User is used as the security context for the Tableau Server Application Manager service (tabsvc).
Note: If the Run As User account that you specify in Tableau Server Configuration is a member of the local administrators or a domain administrator, then tabadmin may not update the local security policy. Updating the Run As User with an account that is a member of local administrators or domain administrators is not a good security practice. We recommend using a domain User account for the Run As User.
In some cases, you may need to manually set security policy for your Run As User. For example, some organizations run Windows Group Policy that remove "Log on as a service" rights that have been set on user accounts. Or an organization may run a policy that creates a permission conflict by specifying "Deny log on as a service." If your organization does this, then you will need to disable or edit such Group Policies so that your Run As User account is not affected.
The following procedure describes how to configure security policy, Log on as a service, manually. You can also use the procedure below to verify that your Run As User is appropriately configured with local security policy rights. For example, you should verify that the Run As User account is not specified on the Deny log on as a service policy.
If you are running a distributed installation, then configuration must be the same across the primary and all worker nodes.
To verify or update the local security policy:
Select Start > Control Panel > Administrative Tools > Local Security Policy.
In Local Security Policy, open Local Policies, select User Rights Assignments.
To verify or set Log on as a service policy:
- Right-click Log
on as a service policy and then click Properties.
- In Log on as a service Properties , click Add User or Group.
<domain>\<username>for the Tableau Server Run As User account (for example:
MYCO\tableau_server), and click Check Names.
- When the account resolves correctly, it is underlined. Click OK.
To verify Run As User account is not specified in the Deny log on as a service policy:
- Right-click Deny log on as a service policy, and then click Properties.
- In Deny log on as a service Properties , verify that the Run As User account is not listed. If it is, remove it. When you are finished, click OK.
- Right-click Log on as a service policy and then click Properties.
Click OK to close the Local Security Settings windows.