The Application User

The Application User has a normal Windows operating system user account from either the local or network domain, to which the following rules apply:

The user account is required to have direct or indirect membership of the local “Users” group, or its equivalent.
The account name must not contain any blanks.
The account must not have a blank password.
The account password must not contain any blanks.

The Application User account must be a domain account, if any of the following conditions are true:

The application would be accessed by any end-user via a domain user account. The processes running as the Application User needs to verify the membership of users in various COM+ Roles. This cannot be done for domain users unless the Application User is also the domain user.
The database is on a different machine to the application.
The RATL/MSMQ protocol is used.
The SOAP/MSMQ protocol is used.
A printer that is to be used is on a different machine to the application.
The protocol adapters are running on a different machine to the application, and the RATL, HUB, RATL/MSMQ, SOAP/MSMQ, or SOAP/HTTP protocol is to be used.

The following processes run under the Application User identity:

The process housing the RATL protocol adapter.
The process housing the RATL/MSMQ protocol adapter.
The process housing the SOAP/MSMQ protocol adapter.
The process housing the SOAP/HTTP protocol adapter.
The process housing the HUB protocol adapter.
The processes housing the applications.
The process housing the generated reports.
The process housing the Report Session Manager.

Application User Account Required Rights and Privileges

The account should not be granted any privileges beyond those specified below.

On all machines:

The “Log on as a batch job” required due to some batch processes assuming the Application User's identity.
Log on as a service

On the machine hosting the protocol adapters:

Log on as service is required to be able to log into the gateway services on the machine.

On the machine hosting the databases, when the databases are on a different machine to the applications:

“Access this computer from the network” required in order to connect to the database remotely.

On Windows 10, Windows Server 2016, Windows Server 2019, and later Operating Systems

With Windows 10, Windows Server 2016, Windows Server 2019, and later Operating Systems, the User has to be explicitly added to COM+ Users Role. Everyone logging in must be in the COM+ Users Role. By default, only the Administrators Group is added, but with Windows 10, Windows Server 2016, Windows Server 2019, and later Operating Systems, it is only the Administrator version of those users, not the Standard User version that are members of the Administrators Group. Therefore, no Standard User accounts are added by default into the Users Role. In earlier versions of Windows, the user was automatically in the Users Role via its membership of the Administrators Group. Non-administrative users still had to be added manually to the Users Role. In Windows 10, Windows Server 2016, Windows Server 2019, and later Operating Systems, this rule still applies, but now everyone is a non-administrative user by default.