Was this page helpful?
Yes No
Tableau Help > Tableau Server on Windows Help > 

Tableau Server on Windows now includes Tableau Services Manager (TSM), which replaces the Configuration Utility and the command line tool. If you need help for an earlier version of Tableau Server, see the Tableau Help page.

Verify the Local Security Policy

After you specify a Run As service account in Tableau Server Configuration (as described in the topic, Create and Update the Run As Service Account), a background process (tabconfig) will update the local security policy on the computer running Tableau Server. Tabadmin will update the local security policy to give "log on as a service" permissions to the Run As service account. This elevated policy is required because the Run As service account is used as the security context for the Tableau Server Application Manager service (tabsvc).

Note: If the Run As service account that you specify in Tableau Server Configuration is a member of the local administrators or a domain administrator, then tsm may not update the local security policy. Updating the Run As service account with an account that is a member of local administrators or domain administrators is not a good security practice. We recommend using a domain User account for the Run As service account.

In some cases, you may need to manually set security policy for your Run As service account. For example, some organizations run Windows Group Policy that remove "Log on as a service" rights that have been set on user accounts. Or an organization may run a policy that creates a permission conflict by specifying "Deny log on as a service." If your organization does this, then you will need to disable or edit such Group Policies so that your Run As service account is not affected.

The following procedure describes how to configure security policy, Log on as a service, manually. You can also use the procedure below to verify that your Run As service account is appropriately configured with local security policy rights. For example, you should verify that the Run As service account is not specified on the Deny log on as a service policy.

If you are running a distributed installation, then configuration must be the same across the initial and all additional nodes.

To verify or update the local security policy:

  1. Select Start > Control Panel > Administrative Tools > Local Security Policy.

  2. In Local Security Policy, open Local Policies, select User Rights Assignments.

    To verify or set Log on as a service policy:

    1. Right-click Log on as a service policy and then click Properties.

    2. In Log on as a service Properties , click Add User or Group.
    3. Type the <domain>\<username> for the Tableau Server Run As service account (for example: MYCO\tableau_server), and click Check Names.
    4. When the account resolves correctly, it is underlined. Click OK.

    To verify Run As service account is not specified in the Deny log on as a service policy:

    1. Right-click Deny log on as a service policy, and then click Properties.
    2. In Deny log on as a service Properties , verify that the Run As service account is not listed. If it is, remove it. When you are finished, click OK.
  3. Click OK to close the Local Security Settings windows.