NTFS/Windows Rights on the SEPM:
SeNetworkLogonRight
"Access this computer from the network"
Required for:
SeInteractiveLogonRight
"Allow log on locally"
Required for:
These rights can be viewed using "whoami /priv" in a command line running under the desired account name, e.g. "runas /user:username cmd" and in the new command window run "whoami" to verify current user then "whoami /priv"
With Windows Authentication, the database user also requires file permissions to some SEPM directories, so that the processes running in user context can access
necessary files. Paths are relative to the SEPM installation directory:
List, Read, Execute permissions:
.\bin For the verification & configuration tools during MSCW & uninstallation
.\php For the Reporting subsystem
Read, Write permissions:
.\data For the BCP tool data import/export
Additionally, it is required to have Secondary Logon service running/manual to use SEPM with Windows Authentication for SQL DB. There are two scenarios under which we need Secondary Logon Service:
Most other SEPM components won't be affected with this service because they launch their user-context processes (as required for Windows Authentication) using lower-level API calls than the Secondary Logon service implements.
If your environment requires that this service be disabled, you may disable the service, after the SEPM is fully installed and configured and is not using a proxy with NTLM authentication. The SEPM will function normally with Secondary Logon disabled. You will have to enable it whenever running the SEPM Configuration Wizard, upgrading the SEPM, or where NTLM proxy authentication is used.
SQL Server Permissions:
In order to perform task on the SQL database without interruption the following rights are required:
sysadmin
"Database Server Administrator"
Required For:
Note: sysadmin rights are not required for existing databases. Once database creation and setup is completed, the rights can be revoked, and will only be required again if a new database needs to be created and configured. This right can also be dismissed if you Manually create the Endpoint Protection Manager SQL database.
db_owner
"Database Owner"
Required For:
public
"Public Access"
Required for:
Along with these roles, the account needs to have the "Alter any Login" Securable for the SQL server.
Required for:
Note: "Alter Any Log in" Securable has been added to the PUBLIC role in SEPM 14.x and newer when performing a fresh installation, therefore there is no need to add the same permission to the account in newly installed SEPM environments running 14.x and newer.
Please refer to TECH256922
For more information on SQL Server Database Engine Permissions, Please visit Microsoft's SQL Docs