Do the protect accounts need to be in the local admin group?

When the DLP product is installed a service account named 'protect' is created by the installation and placed in the local 'users' group.

At the same time another service account named 'protect_update' is created by the installation and placed in the local 'Administrators' group.

The 'protect_update' account needs to be in the local admin group because when it comes time to push out updates and hotfixes, if this account is not in the local admin group the installation will fail.

It is also important that the 'protect' user account NOT be a member of the local admin group.  If the 'protect' user account is a local admin, an upgrade will fail because we use the 'protect' user to kill java processes.  A local admin can kill the updater.