If the "Enable Internet charging" option is selected in the setup wizard, PaperCut will need to install a system service running with additional privileges. The setup wizard will request for a username and password for an account with the required additional privileges. For the simplest setup, we recommend adding a new administrators account with the password set to "never expire".

The service does not require "Administrators" level access. By default we recommend creating an account with administrators level access as this guaranteed to work with every network setup (i.e. idiot proof). Strictly speaking you can get away with less if you know what you’re doing. The service account requires at a minimum:

1. Logon as a service rights
2. Read-write access on the PaperCut databases
3. Read-only access on the proxy server logs
4. Rights to “Modify the membership of a group” on the nominated Group assigned in PaperCut

You can delegate rights to the selected account to accomplish 4 and hence avoid the need for full domain administrators access.

It’s also worth mentioning that we also do our best to minimize the amount of code running under the privileged account. We use the notion of privilege separation and confine the code that does not require escalated access. PaperCut does this by installing two services - each running under different rights. Most operations such as the print monitoring, automatic quota allocation and maintenance tasks run under a standard services account, while the net charging/quota code that needs to move users in and out of the nominated group runs under the privileged service.

Categories: Implementation