This article is designed to address how GFI FaxMaker uses Active Directory in fax transmission and the requirements for the GFI FaxMaker service account.
Each time a user sends a fax or receives a fax to email, an LDAP query is made to confirm that:
- The AD user account exists.
- The AD account is active (not locked, or disabled).
- The AD account's SID matches the email address being used.
- The SID matches the SID that GFI FaxMaker has stored in its internal list of "Licensed Users"
To ensure the successful transmission of faxes:
- The 'service logon account' for the services "GFI FaxMaker Server" and "GFI FaxMaker Message Transfer Agent" must be started with a user account.
- The 'service logon account' must have the 'logon as a service' right.
- The 'service logon account' must have permission to query the Active Directory Global Catalog.
- The 'service logon account' must have administrative privileges (Full access) to the NTFS folder structures where GFI FaxMaker is installed (and certain shares).
- The 'service logon account' must have administrative privileges (Full access) to the Registry keys used by GFI FaxMaker.
- If GFI FaxMaker archiving to a database, the 'service logon account' must have access to the database (or you can configure FaxMaker to use the 'sa' account if using SQL).
- The 'service logon account' must have a local user profile (since GFI FaxMaker uses a few aspects of that profile -- such as setting the default printer and having access to applications involved in "converting" outbound faxes).
An Active Directory domain admin account satisfies all these requirements and is recommended in most cases.
It is possible to create a domain account with something less than "domain admin" rights; however, since this requires some advanced understanding by the sysadmin, GFI cannot troubleshoot permissions-related problems if they arise because a non-domain-admin account is used for starting our services.
Hence, our only statement in this regard is to use a domain admin account if GFI FaxMaker is installed on a machine that is joined to an Active Directory domain.