I have a service account for our ERP system that is working with a ballooning temp profile. I am looking for advice as to how to prevent this in the future.
Posted on 2016-07-15
I have a Windows Server 2008 R2 Enterprise server that is running our ERP system (Microsoft Axapta 2012 R2). I'm a one-man show, and IT is not supposed to be my primary focus, so I haven't been monitoring the event logs like I wish I were.
We have had some 'flaky' things happening with our ERP system. I attempted to install an update last evening, and the installation completed successfully, but things began to break down from there. Subsequent investigation revealed that some of the installed dlls don't seem to have the security that they should have.
Further investigation showed that one of the key services for the ERP system is running with a temporary profile. It's temp profile is up over 1 GB in size (filled with log files of some kind, maybe... i haven't investigated that yet). My hunch is that because the main service for the ERP is not functioning properly, the install my have had issues.
I can resolve the profile issue by halting services later tonight, removing the profile via the control panel (and the registry) and restarting things. In any event, this is how I would 'fix' the issue if it were a standard user profile issue.
My question is... is this how you would go about resolving an issue with a service account? Do service accounts actually use a windows profile like other accounts? These accounts were set up long before I got here, so I'm really even unsure that they are configured properly.
For example, the ERP service account in question has the following properties:
Member Of: AX SSRS Reports, Domain Users, Windows Authorization Access Group
Profile: Logon script: SBS_LOGIN_SCRIPT.bat (I know this shouldn't be here... i'm told we converted from an SBS environment 5 years ago)
Account: Account options: User cannot change password, password never expires
Security: Permissions look fairly standard, except that there are four 'Account unknowns' with permissions. I cannot remove them without disabling inheritance, and I'm a bit nervous about doing that without fully knowing the repercussions.
I'm reluctant to change much for this account, for fear that anything 'non-standard' may have been added over the years to address problems, but never documented. That being said, I've found enough 'cobbled-together' stuff in this environment that I'm certain the person who was adminning the environment before me didn't fully understand what they were doing in many cases.
Does anyone have some advice on how the service account should actually be set up?
Thanks for your time.