Service Account Requirements on the WISdom Host
The following requirements apply to the machine hosting the WISdom services to ensure optimal performance and security.
-
Windows Account
- Service Account Type: The service account must be a Windows account, ideally a domain account or a global managed service account (gMSA). This setup enhances security and manageability across multiple systems.
- Recommendation: Use this service account for all data collections to maintain consistency and simplify management. Refer to the collection requirements below for more details.
- Service Account Type: The service account must be a Windows account, ideally a domain account or a global managed service account (gMSA). This setup enhances security and manageability across multiple systems.
-
Log on as Service Permissions
- Permission Requirement: The account must have the "Log on as a Service" permission. This is essential for the account to run as a Windows service, enabling WISdom to operate as intended.
-
Local Administrator Privileges
- Administrative Access: The account must have local administrator privileges on the server hosting the WISdom service. These permissions are crucial for ensuring that the WISdom Collection service can:
- Access necessary system resources.
- Perform required operations without restrictions.
- Maintain the integrity and efficiency of data collection processes.
- Administrative Access: The account must have local administrator privileges on the server hosting the WISdom service. These permissions are crucial for ensuring that the WISdom Collection service can:
Security Best Practices
- Ensure the service account follows security best practices, such as using strong passwords and regular password updates.
- Limit the service account's permissions to only what is necessary for its role to enhance security.
- Use a Global Managed Service Account (gMSA) where possible.
Account Type Options for the Service Account
For optimal security and management of accounts and passwords, we strongly recommend using a Group Managed Service Account (gMSA) to run the WISdom Collection Service, in line with Microsoft's best practices.
If a gMSA account is not available, you may use a domain account to run the service. While this is recommended, it is not mandatory.
Alternatively, a local Windows account may be used to run the service. However, please note that in this case, all Instances must be configured with a credential set up in the WISdom UI and assigned.
Collection Requirements
Collection Account Options
-
Monitoring Service Account
- Recommended Method: Ideal for collecting Windows and SQL Server metrics.
-
Secondary Windows Account(s)
- Secondary accounts may be used to collect data from SQL and Windows.
- The options for secondary accounts are:
- Active Directory Integrated Accounts
- Microsoft Entra ID (formerly Azure Active Directory)
-
Impersonate Windows Account
- This account type should be used only when absolutely necessary due to potential limitations in success.
-
SQL Authentication Account
- Using a SQL Authenticated account will result in the Windows Monitoring metrics (WMI) not being collected.