This question came up from a customer who was looking to install CWA without having to be a member of the Domain Admins group. The documentation and the GUI says that you need to be a member of the Domain Admins group, but what do we really use it for?
We use the Domain Admins group to give us the necessary rights to create the CWAService account and to configure it for use with CWA. Let’s walk through an install of CWA and see what we need to do to get CWA installed and activated using a regular user account.
First, the user account needs to be a member of the local Administrators group on the CWA server. This will allow us to install the bits for CWA. We run into our first problem trying to activate CWA. Looking at the log you will see the following:
Create Active Directory Object CN=<GUID> – [0x80070005] Access is denied.
We are getting access denied because the user account isn’t a member of RTCUniversalServerAdmins. This group is used to create the necessary entries in the RTC Service container. After making the user account a member of RTCUniversalServerAdmins and running the activation step again, we run into our next issue:
Create Domain Service Account – [0x80070005] Access is denied.
This is because the user account doesn’t have rights to create the CWAService account in the Users container. This would typically be handled by being a member of the Domain Admins group. There are 2 ways to correct this issue. We can either give the user account the rights to create an account in the Users container, or we can pre-create the CWAService account using an account that has the proper rights. In this example I am going to pre-create the account. In an enterprise environment, this is probably the preferred method as account creation usually involves a different team. After getting the account created, we run into our last issue with using a regular account. Looking in the log, you will see the following error:
Register SPN – [0x80072098] Insufficient access rights to perform the operation.
We are getting this error because the user account doesn’t have the rights necessary to modify the CWAService account. In order to fix this issue we need to give the user account Write rights to the CWAService account.
Now running through the activation step will complete successfully and you can complete the rest of the installation steps.