Chat now with support
Chat with Support

Security Explorer 9.9 - User Guide

Getting Started with Security Explorer Managing permissions Searching Managing security Managing objects
Managing folders and files Managing shares Managing registry keys Managing services Managing tasks Managing groups and users Managing Favorites Managing Enterprise Scopes Updating licenses Managing network drives
Working with Microsoft SQL Server Working with Microsoft Exchange
Checking minimum requirements Viewing Exchange permissions Granting Exchange permissions Revoking Exchange permissions Cloning Exchange permissions Searching for Exchange server objects and permissions Backing up and restoring Exchange server security Modifying Exchange permissions Managing Exchange group memberships Exporting Exchange security permissions Creating Exchange databases Creating public folder mailboxes Managing Exchange administrators Managing Exchange distribution groups Managing mail contacts Managing mail users Managing mailboxes Managing mailbox folders Managing public folders Using role based access control Setting options for Exchange security
Working with Microsoft SharePoint Working with Access Explorer Working with Microsoft Active Directory Customizing Security Explorer Using the command line Using PowerShell cmdlets Troubleshooting

Access Explorer agent

When a managed computer is added, an agent is assigned to that computer. The agent may reside on the computer or it may be a remote agent that resides elsewhere. The primary focus of the agent is to index all the explicit permissions throughout its assigned scopes. The agent installs a service that allows it to perform all of the necessary functions and to report data to Security Explorer.

The indexing of only explicit permissions is done for the following reasons:

A managed computer may be scanned by either a local agent or one or more remote agents. Only one local agent can be installed on a managed computer and a managed computer with a local agent cannot be scanned by remote agents.

A local agent does an immediate scan as soon as it is added. Remote agents only scan according to a schedule, but if you want the agent to scan as soon as it is added you can enable the Immediately scan on agent restart or scope change option. This option is cleared by default.

For more information, see:


Scopes define the file system targets of the scan on the managed computer. The scopes available for scanning differ for local and remote agents.

Scopes tab of the Agent Properties.

More than one remote agent may be configured to scan a managed computer provided each agent scans different scopes. A given scope can be scanned by only one agent.

Figure 1 depicts the possible deployment scenarios for Access Explorer agents and managed computers in remote and local installations.

For more information, see:


The Security Explorer server stores all data gathered in a SQL Server® database, including indexed data received from the agents. See Setting up the Access Explorer database.

Service accounts

A service account is a set of credentials provided by the user and is used to perform certain deployment and query operations.

When you place a domain under management, you must provide a service account for the domain. The service account ensures computers from that domain can be added as managed computers. Each managed domain can only have one associated service account at any time, but the same service account can be used for multiple managed domains.

When a new service account is added in the configuration, it is automatically granted the required Log On as a Service local user right on the Quest Security Explorer Server.

When you deploy a remote agent to a managed computer, the agent requires a set of credentials to read information from the remote target computer. The credentials provided are referred to as the managed computer service account and are used only to read information from the remotely targeted computer.

Various operations within Access Explorer use different credentials. The following table details when various accounts are being used.

Agent deployment and removal1




Restart agent




Take domain under management




Register a forest and enumerate




Read information from targets




1 The managed domain service account is used to install, upgrade, or remove the agent on the target computer. In the case where the agent is deployed locally, the agent will run as Local System. In the case where an agent is deployed remotely, the managed computer service account is used to read information from the remote computer.

Service account credentials are maintained in the database in a secure encrypted form. In the event that someone gains access to the database, they would not be able to decrypt any of the credentials provided.

Access Explorer uses the FIPS 140-2 compliant encryption to protect the service account credentials.

For more information see:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating