Service Accounts
By default, JAMS Services are set to run under the LocalSystem account, but this can be modified to run on a Windows Domain based account. See Change the Account Running JAMS for more information.
In general, it is recommended that you leave the JAMS Executor and JAMS Agent services running under LocalSystem. These services require access to the database or network and require the privileges associated with the LocalSystem account.
Use the Service Control application to change the account for the JAMS Scheduler and JAMS Server services in order to control network and database access.
When modifying the account, you may need to adjust the security settings on:
- C:\Program Files\MVPSI\JAMS\Scheduler folder
- C:\Program Files\MVPSI\JAMS\Scheduler\JAMSScheduler.log
- MSMQ jamsrequests and jamsrequestssubmitcancel private queues
- JAMS Database
You need to modify the security on the MSMQ private queues to grant the domain account full access to the queue. This may require you to take ownership of the MSMQ queue.
The following local security policies should also be granted for the domain-based account:
- Log on as a Batch job
- Log on as a Service
- Adjust memory quotas for a process
- Bypass traverse checking
- Replace a process level token
If the domain-based user account is not in the administrators group, create an Active Directory Group, add the user to the group, and make the following changes in the Common.config file located at: Program Files\MVPSI\JAMS\Scheduler<directory>
<add key=AuthorizedGroup " value="domain\YourGroup"/>