By default, the Forefront Identity Manager CM Update Service runs under the local system account. It is considered the best practice to change it and use a service account instead.
We have already created the svcFIMCMService
user that we intend to use for this purpose. Before we can configure it for the service, we need to assign a few user rights to it.
The account needs the following User Rights Assignment:
To act as part of the operating system
To generate security audits
To replace a process-level token
To log in as a service
It then needs to be added to the following local groups on the FIM CM server:
Administrators
IIS_IUSRS
After that, we reconfigure the service to use the account and start automatically.