Installation of the Symantec Endpoint Protection Manager fails with error "Failed to set Symantec Endpoint Protection Manager service account ACLs"
search cancel

Installation of the Symantec Endpoint Protection Manager fails with error "Failed to set Symantec Endpoint Protection Manager service account ACLs"

book

Article ID: 160980

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Installation of the Symantec Endpoint Protection Manager (SEPM) fails with the error "Failed to set Symantec Endpoint Protection Manager service account ACLs."

The following error is shown in a popup window while attempting to install the SEPM:

Failed to set Symantec Endpoint Protection Manager service account ACLs.

The following error is logged in the following file. Default location:

  • 32-bit OS: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\install_log.err
  • 64-bit OS: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\install_log.err

STDERR: com.sygate.scm.server.util.acl.ACLException: Failed to set ACL on object : HKLM\System\CurrentControlSet\services\semsrv

 

The following error is logged in the following file. Default location:

  1. 32-bit OS: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\ConfigurationWizard-0.log
  2. 64-bit OS: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\ConfigurationWizard-0.log

2014-07-22 12:23:29.093 THREAD 31 WARNING: SEPMACLManager>>applyAllACLs: 

Begin...serverHome=D:\Program Files (x86)\Symantec\Symantec Endpoint Protection 

Manager\tomcat,dataRoot=D:\Program Files (x86)\Symantec\Symantec Endpoint 

Protection Manager\data,luClientPath=C:\Program Files (x86)\Symantec\LiveUpdate

2014-07-22 12:23:29.343 THREAD 31 WARNING: ACLUtil> executeSetACLExe>> Process 

output:

INFORMATION: Processing ACL of: 

<machine\System\CurrentControlSet\services\semsrv>

ERROR: Enabling the privilege SeSecurityPrivilege failed with: Not all 

privileges or groups referenced are assigned to the caller.

ERROR: Reading the SD from <machine\System\CurrentControlSet\services\semsrv> 

failed with: Not all privileges or groups referenced are assigned to the caller.

 

SetACL finished with error(s): 

SetACL error message: A privilege could not be enabled

Cause

This error is caused because the user account which is attempting to install the SEPM is lacking the privilege SeSecurityPrivilege, or another application such as the splunk forwarder is accessing files in SEPM. 

Resolution

To resolve this issue, ensure that the installation is being performed by an Administrator level Windows Account. If the installation still fails, verify whether or not the SeSecurityPrivilege is present. This privilege is needed for the installation to complete successfully.

How to check whether the logged in account has the SeSecurityPrivilege:

  1. Click Start > Run
  2. Type in: cmd
  3. Click OK
  4. Type in: whoami /priv
  5. Press the ENTER key on your keyboard
  6. Confirm that the privilege SeSecurityPrivilege is listed in the Privilege Name column. If it is missing, please ensure the Administrators group is part of the "Manage auditing and security log" policy. Please see: http://technet.microsoft.com/en-us/library/cc957161.aspx for additional information.

If the privilege exist, Stop the splunkforwarder service.