About the CES Service Logon Account
When your CES server runs on a domain, the CES service logon account must be a domain user that is granted the Active Directory Read Member Of permission because it is used to expand Active Directory groups.
Note: If you plan to index file shares with the File connector, the CES service logon account is used by default to crawl the files, in which case the account must also have access to all the files that you want to index. You can however use another account in the connector (see Setting up a File System Crawling Account).
You originally specify the CES service logon account when you install CES using the following installer screen (see Installing CES on the Master Server).
When CES is already installed, you can change the CES service logon account and password at any time (see Modifying the CES Log On Account).
The best practice is to create a user account dedicated to the CES service with a password that does not change, or does not change frequently. If needed, contact your network administrator to create the account.
The specific user logon account must be a domain account that typically is a local administrator but more specifically needs the following permissions for the CES service to work properly:
Part of the Users group of the server where CES is installed.
Part of the Domain Users group of the domain of the server where CES is installed (not required if the server is in a workgroup instead of a domain).
Read/Write/Execute permissions on the %ProgramFiles% and %ProgramFiles (x86)% folder.
Full Control on the folder where the index will be stored (default location C:\CES7\).
Read/Write permissions on the Windows temporary (%TEMP%) folder.
Will be automatically granted Logon as a Service by the installation program.
CES 7.0.6339– (January 2014) It is NOT RECOMMENDED to select the Local System account option, because selecting this option can lead to various authentication issues.
When the password of the CES service logon account changes in Active Directory, you must also manually change the password in the Coveo Enterprise Search 7 Properties to allow the CES service to continue to operate (see Modifying the CES Log On Account).
When your Coveo Platform implementation uses a topology that includes Coveo Mirror servers, the same logon account must be used on all of those servers.
Note: The CES Service logon account does not need to have read access to local, network, or SharePoint files. The best practice is to manage access permissions to content to be indexed at the source level by defining appropriate User Identities when you configure sources for each repository (see Adding a User Identity).