During the installation or configuration of Symantec Endpoint Protection Manager (SEPM) 12.1.6 or later, including version 14 or later, you see a warning that indicates that the appropriate user rights are not assigned to Endpoint Protection Manager services.
You see one of the following warning messages:
Note: While the services for Endpoint Protection Manager might run at startup, it is only a temporary state until the domain policies are enforced.
|Symantec Endpoint Protection Manager services require user rights in Windows security policies. The management console cannot run until you assign user rights to the services in the specified policies:||Symantec Endpoint Protection Manager cannot read the user rights that are specified in the Windows Security Policies on this computer. The management console cannot run if user rights are not assigned to Symantec Endpoint Protection Manager services.|
|This message either contains the user rights that the required services do not have, and the policies that do not have the rights, or you can click Show Details for this information.
You have options to correct policies and try again, cancel the installation, or continue with the warnings present.
For new installations, another message appears advising you that based on the type of database you subsequently choose additional user rights may be required.
|You have options to continue or cancel the installation.|
|Example of message seen during installation (click to enlarge):|
(The highlighted text appears only during a new installation.)
|Example of message seen after configuration (click to enlarge):|
|Example of message seen after upgrade (click to enlarge):|
The Endpoint Protection Manager installer automatically adds the required rights to local security policies. However, if the computer that hosts Endpoint Protection Manager is a part of a domain, then domain policies override local policies. See Related Articles for more information on group policy precedence.
The alert during installation indicates that domain policies are enforcing the privileges from the domain controller and do not contain the required user rights for Endpoint Protection Manager. The Endpoint Protection Manager installer cannot assign user rights to domain security policies. Therefore, you must take manual action.
The following table summarizes Endpoint Protection Manager's security policy requirements for Windows Server 2008 / Windows 7 or later:
|SEPM Configuration||User Right||Services to be added|
|Logon as Service
|SEPM with Microsoft SQL
Server database; SQL authentication
|Logon as Service
|SEPM with Microsoft SQL
Server database; Windows authentication
|Logon as Service
|Replace a Process Level Token
* indicates the service was added for version 14.
Endpoint Protection Manager services on operating systems earlier than Windows Server 2008 R2 / Windows 7 use the Network Service, for which default domain policies include privileges. You should ensure that any security policies used on the Endpoint Protection Manager computer do not have the Network Service removed.
Note: These accounts need to be present only if you have defined any of the user rights in the policies. If any of the user rights are in a "Not Defined" state, you do not have to explicitly enable them or add Endpoint Protection Manager accounts. If you have not defined any user right, Endpoint Protection Manager will not include that user right in the alert.
This warning message indicates that domain group policy objects (GPOs) are restricting which rights are assigned to virtual service accounts.
To learn more see If user rights are missing.
This warning message indicates that the installer may not be able to determine whether the correct rights are assigned to virtual service accounts in domain GPOs.
To learn more see If user rights cannot be determined.
Note: You must be a domain administrator, or coordinate with your domain administrator, to make changes to the affected domain GPOs.
If you are upgrading Endpoint Protection Manager from a previous version, the warning might prompt you to add Endpoint Protection Manager services to policies. Click Try Again to review the policies again during the installation.
You must log in as a domain administrator to use this option. If you do not log in as a domain administrator, you can either cancel the installation and log back in with domain administrator credentials, or you can continue with the installation and update the policies after the upgrade is completed.
To perform some of the steps below, you must install Group Policy Management Console (GPMC) on the machine where you install Endpoint Protection Manager. For more information see, Install the GPMC on Microsoft.com.
Perform the following tasks to successfully complete the Endpoint Protection Manager installation:
There will be additional log entries in one of the following log locations depending on when the warning message appears:
SEPM_Installation_Folder represents the installation folder for Endpoint Protection Manager. By default, this folder is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager (64-bit operating system) or C:\Program Files\Symantec\Symantec Endpoint Protection Manager (32-bit operating system).
From the alert message, make note of the missing service accounts. With the alert window active, press Control-C to copy the text of the message, which you can then paste it into a document. If you encounter this message in the configuration wizard or the upgrade wizard, click Show Details to get more information.
For example, the alert message may read:
Group policy setting SeServiceLogonRight in 'New Group Policy Object-testB' does not contain [NT SERVICE\semsrv, NT SERVICE\semwebsrv, NT SERVICE\SQLANYs_sem5, NT SERVICE\semapisrv]
Note: In this example, the user rights appear in green, the domain GPOs in blue, and the virtual service accounts in red.
The required user rights are as follows:
You must ensure that for the GPOs listed, all of the accounts listed are present in all of the user rights assignments mentioned. For new installations, you can refer to the table above for more information about required rights needed for either database type to avoid additional warnings after configuration.
Note: When you install Endpoint Protection Manager for the first time, its services are not yet present on the computer. Therefore, virtual accounts that correspond to Endpoint Protection Manager services are not active yet. For a new installation, you can click Continue in the alert that appears during installation. Another warning appears at the end of the configuration wizard, so you can update domain policies using the steps below after configuration finishes.
Make the appropriate changes to the necessary domain GPOs with the Group Policy Management Console on your Active Directory server, or work with your domain administrator to make these changes. See Create and Edit a Group Policy Object on Microsoft.com to learn how to edit group policies.
Note: These steps are for the Windows Server 2012 Server Manager. Other versions of Windows may vary slightly.
When Endpoint Protection Manager cannot read the domain policies, it does not provide the missing user rights in the alert message. In this instance, you (or your domain administrator) should manually inspect the domain policies based on the user rights assignments guidelines provided above, and ensure all required rights apply to Endpoint Protection Manager services.
If you are satisfied that the domain policies meet the appropriate criteria, click OK to continue with the installation, and then ignore the subsequent warning messages during the configuration or upgrade wizard.
You can manually check for the presence of required accounts and privileges before you begin a new installation or upgrade.
If you find the privileges, then the domain GPOs do not enforce them. You do not need to make a change to domain GPOs.
If you do not find the privileges, but do not contain any of the Endpoint Protection Manager accounts, then you must add them into the corresponding policy.
Note: If the domain policies check out, it may be that other software processes, such as backup software or the Syslog agent, are using or locking some files related to Symantec Endpoint Protection Manager at the time of the upgrade. To launch the upgrade process once the other software process is no longer running, you can enter the following command in a command window:
"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\upgrade.bat"
This command uses the default installation path, so adjust the command to match the installation path in your environment.
For more information, see the following Microsoft technical articles:
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.