
®
Xerox
Print Advisor
Using a Domain Service Account
Quick Reference

© 2010 Xerox Corporation. All rights reserved.
This document is made available for use only pursuant to the terms of license(s) pursuant to which Xerox
Corporation restricts their use, copying, distribution, and decompilation/reverse engineering. In addition, Xerox
Corporation reserves the right to make improvements in the product described in this manual pursuant to such
license(s), which may include making changes at anytime and without notice. This document and the product
described in this manual are copyrighted. All rights reserved. No part of this document may be copied,
reproduced, translated or reduced to any electronic medium or machine readable form or in any form by any
means without prior written authorization of Xerox Corporation.
®
Documentation © 2010 Xerox Corporation. Xerox
or registered trademarks of Xerox Corporation in the United States and/or other countries. All rights reserved.
Microsoft
or trademarks of Microsoft Corporation in the United States and/or other countries. Other names may be
trademarks or registered trademarks of their respective owners.
© Preo Software Inc. 2010
®
, Windows®, Windows XP®, Windows Vista®, .NET® and Active Directory® are registered trademarks
, the Xerox® Logo, and Xerox® Print Advisor are trademarks

1 Using a Domain Service
Account (DSA)
Domain Service Accounts (DSAs) allow System Administrators to create a class of cross-domain
accounts that can be used to manage and maintain certain services on the computer network. DSAs
are generally used to enhance security by isolating the privileges for an application.
®
With Xerox
IT configuration.
Using a Domain Service Account
If a Domain Service Account is used for Print Advisor, the DSA must be able to communicate to the
hosted Print Advisor Application Server over port 443 SSL (Secure Sockets Layer).
Print Advisor, DSAs are recommended when a Proxy Server is part of your organization’s
®
Note: Set up the Domain Service Account PRIOR to starting the Xerox
Altering the account information after installation is difficult and time-consuming if you have
installed Xerox
®
Print Advisor on all of your organization’s workstations.
Print Advisor installation.
Securing the Domain Service Account
The Domain Service Account should be secured with a Group Policy in accordance with your security
policies for Service Accounts, or Microsoft’s Service Account Guidelines available at
http://www.microsoft.com/downloads
If your organization does not currently have security policies in place for locking down service accounts,
we recommend at a minimum that you apply the following settings:
Setting up a User Account
Set Password to Never Expire.
Use complexity for passwords (minimum 8 characters; include special characters).
.
®
Xerox
Print Advisor Quick Reference 3

Using a Domain Service Account (DSA)
Setting up a Group Policy
Deny logon locally (User Rights Assignments).
Disable Shut Down the System (User Rights Assignments).
Enable an Account Lockout Policy (3 invalid attempts lock the account for 10 minutes).
Require Logon as a Service (User Rights Assignments).
Deny log on through Terminal Services (User Rights Assignments).
Disable Allow Logon Locally (User Rights Assignments).
You may want to continue locking down this group policy, as long as User Rights Assignments are
not affected.
Set options to Enforcement (no override); this setting takes precedence over any Group Policy
setting linked to child containers.
Set the Block inheritance flag.
Create an account as an OU controlled subtree.
Enable auditing on controlled subtree.
Use AdminSDHolder function; this setting compares the privilege level every hour and ensures that
the settings have not been altered.
Using Domain Service Accounts for Proxy Servers
The account you select for Xerox® Print Advisor must have the ability to navigate through your proxy
server. If you use a Proxy Server at your organization, it is highly recommended you use a Domain
Service Account. While Xerox
sufficient authorization to navigate an organization’s Proxy Server.
When Xerox
®
Print Advisor is installed using a DSA (Domain Service Account), the account must have at
a minimum the following privileges:
The ability to contact the Internet through the proxy server.
The ability to iterate local printers on the machine on which the DSA is installed.
Advantages of using a DSA with a proxy server:
Using a DSA with a proxy server is advantageous in that the DSA can be set as follows:
Set up to communicate through the proxy server to the hosted Xerox
Server.
Restricted to communicate only to a known IP address range.
Set to have a non-expiring password.
Be locked down with just the permissions needed to run Print Advisor.
Additionally, the Service Account management can be centrally controlled.
®
Print Advisor can run as the Local System account, it rarely has
®
Print Advisor Application
4 Xerox
®
Print Advisor Quick Reference