SAP user and groups requirements in the active directory
Today for an SAP installation on Windows in an existing AD domain, some user and groups requirements are mandatory from SAP.
This article gives an overview of the necessary user and groups including the rights and permission.
Domain or local installation:
Before you install the SAP system, you have to decide whether you want to perform a domain or local installation, since this affects how the user account information is stored and accessed.
Domain Installation
In a domain installation, the user account information is stored centrally in one database on the domain controller and is accessible to all hosts in the system.
You have to perform a domain installation if one of the following applies:
- You install a distributed system (strongly recommended to avoid authorization problems).
- You install a high-availability system with WSFC
- You want to use Single Sign-On.
- You use a common transport host for several SAP systems running on different computers.
Local Installation
In a local installation, all Windows account information is stored locally on one host and is not visible to any other hosts in the system.
- If the SAP system is to run on a single machine (central system), you can perform a local installation.
- If your SAP system was installed as a local installation and you want to later change to a domain installation, you must perform a homogeneous system copy.
Normally in a domain installation, the SAPINST tries to create all the necessary users and groups in the AD, but therefore the user which runs the installations needs to be a domain admin user. If this is not possible you have to go for the following steps:
Performing a Domain Installation without Being a Domain Administrator
You normally perform a domain installation of the SAP system with a user who is a member of the domain Admins group, but if for any reason, the account used for the installation is not a member of the domain Admins group, you can perform the installation with a domain user who is a member of the local Administrators group. In this case, the domain administrator has to prepare the system appropriately for you. The domain administrator can perform the following steps either using SAPinst or manually:
(<SAPSID> is the SAP system ID, which identifies the whole SAP system)
- Create the new global group SAP_<SAPSID>_GlobalAdmin.
- Create the two new SAP system users <sapsid>adm and SAPService<SAPSID>.
- Add the users <sapsid>adm and SAPService<SAPSID> to the newly created group SAP_<SAPSID>_GlobalAdmin.
For the SAP installation itself (user, which is running the SAPINST program) you need the following rights (User Rights Assignment in Local Security Policy) on the local server:
- SeTcbPrivilege (Act as part of the operating system)
- SeIncreaseQuotaPrivilege (Adjust memory quotas for a process)
- SeAssignPrimaryTokenPrivilege (Replace a process level token)
The user, which is running the administration, must be a member of the local admin group of the server.
Overview of the operating system users including rights and permission necessary for an SAP Installation:
<sapsid>adm
This is the SAP system administrator account that enables interactive administration of the system.
Is local with the following rights:
- SeTcbPrivilege (Act as part of the operating system)
- SeIncreaseQuotaPrivilege (Adjust memory quotas for a process)
- SeAssignPrimaryTokenPrivilege (Replace a process level token)
- SeServiceLogonRight (Log on as a Service)
-
SAPService<SAPSID>
This is the user account that is required to start the SAP system.
Not member of the local admin group with the following rights:
- SeServiceLogonRight (Log on as a Service)
- SeNetworkLogonRight (Access this computer from the network)
- SeDenyInteractiveLogonRight (Deny Logon Locally and Deny log on through Terminal Services)
- SeRestorePrivilege (Restore files and directories)
sapadm
Not member of the local admin group with the following rights:
- SeNetworkLogonRight (Access this computer from the network)
- SeServiceLogonRight (Log on as a Service)
- SeDenyInteractiveLogonRight (Deny Logon Locally and Deny log on through Terminal Services)
Be careful: The user and group names has to be entered excatly as specified in the correct uppercase an lowercase.
Often this naming conventions conflicts with the requirements of the customer, but it is not possible to change the names of the users and groups, because all the upgrade and installation procedures of SAP a belonging on this convention.