ITP/Server Account

It is recommended to create a dedicated (service) account which is used to install and run the ITP/Server application. Using a dedicated account will ensure that all ITP/Document Processors can access their common configuration file and that the ITP/Document Processor Manager can update the configuration file. Because ITP/Server operates in an unattended configuration this account should not expire or have a password expiration set.

It is strongly recommended to add the account to the Local Administrators group on the server(s) where ITP/Server and the ITP/Document Processors are installed. On a default <mswin> install members of the Local Adminstrator group should have all necessary rights and access privileges described below.

If ITP/Server should have access to network resources it is strongly recommended to use a domain account and grant this account access to all resources on remote servers.

Detailed rights requirements

If security policies prohibit the creation of domain accounts or security policies have restricted the default rights assigned to the Local Administrators group the following rights should be assigned to the ITP/Server account:

• No password expiration.
• Read and Execute rights on the content of the (local) install folder.
• The right to access the network.
• The right to run as a NTService.
• Reading rights on the folder ITPWORK of the ITP/Server setup.
• Write rights on the (local) temp and log folders.
• Write rights on the session folder.
• The right to start and stop NTServices.
• All rights associated with the tasks the ITP/Document Processors can perform.

Any account used to run the ITP/Server Administrator must also have the following rights:

• Read and Write rights to the folder ITPWORK of the setup.
• Read and Write rights to the Registries of the servers it will administrate.
• The right to create NTServices.
• The right to start and stop NTServices.

Rights required to start Microsoft Word

The ITP/Server account must be authorized to activate Microsoft Word through DCOM automation. On a default Microsoft Windows and Microsoft Word installation the Local Administrators group is granted this right.

If security policies prohibit the use of a local Administrator account or if the server has been locked down the following rights must be granted explicitly to the ITP/Server account.

For the 'Microsoft Office Word 97 - 2003 Document' DCOM Component (use DCOMCNFG to set this):

• Launch and Activation Permissions : Local Launch permission and Local Activation permission
• Access Permissions : Local Access permission
• Configuration Permissions : Full Control

Additional rights for Microsoft Word 2007 and later

Microsoft Word 2007 and later versions requires the ITP/Server account to have some additional access rights when accessing documents from a remote server.

• Read rights on the Default User's Temporary Internet Files directory.
• Modify rights on the 'Content.Word' directory therein.

In a default Microsoft Windows installation this is directory C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.Word.
Note that some of the directories in this path have the Hidden attribute and are by default not visible in the Microsoft Windows Explorer.

Distributed local account alternative

If security policies prohibit the creation of a domain wide user with a non-expiring password, you can also create a local user on all servers where the programs require access and give all those users the same password which does not expire. Use this user to install ITP/Server and replace the domain with a dot (.) in this dialog.