This post caused me to think about "minimal necessary privileges" as part of the product security lockdown.   I doubt that the SmarterMail service needs to run as LocalSystem, and that it may need nothing more than "logon as a service".    A bit of research indicates that Active Directory credentials can be tested without special permissions, using the LogonUser call with the LOGON32_LOGON_NETWORK qualifier.   If management of File Storage is performed with user impersonation, it also needs the user right for ""Impersonate a client after authentication", which is granted by default to the "NEWORK SERVICE" account, and can be manually granted to other accounts.     All of this needs to be rigorously tested, of course.   We should have the option of configuring SmarterMail with those minimum necessary privileges, which will also address the original request.