For various security reasons it may be desirable to use Group Managed Service Accounts (gMSA) for Symantec Endpoint Protection (SEP) Manager services instead of the virtual service accounts created during install (i.e. NT SERVICE\semsrv, NT SERVICE\semwebsrv, etc.).
Symantec Endpoint Protection Manager installed on Windows Server 2012, or newer
Windows 2012 Domain Controller
In order to leverage Group Managed Service Accounts for SEP Manager service use, the following requirements must be met:
At least one Windows Server 2012, or newer, Domain Controller
A Windows Server 2012 or Windows 8 machine with the Active Directory Module for Windows PowerShell - Used to create the gMSAs.
SEP Manager pre-installed onto a Windows Server 2012, or newer, domain member to run/use the gMSAs.
Replace <ServiceAccountName> with the values of semsrv, semwebsrv, semapisrv, SQLANYs_sem5, SepBridgeSrv and SepBridgeUpldr as appropriate and for each gMSA you wish to create.
Replace <fqdn> with the fully qualified domain name for the SEP Manager server.
Replace <group> with the name of the new security group created in step 1.
Repeat the above command for each SEP Manager service (i.e. semsrv, semwebsrv, etc.).
Launch the Active Directory Administrative Center (ADAC) and expand your domain > Managed Service Accounts to see the newly created gMSAs.
Edit the properties for each gMSA and add the security group created in step 1, ensure the security group has Read permissions then click OK.
Reboot each SEP Manager server.
Assign gMSAs to SEPM services:
On the SEP Manager server open services.msc.
Edit properties for the Symantec Endpoint Protection Manager service.
Click the Log On tab.
Click the Browse button.
Click the Location button and select Entire Directory, click OK.
Click Object Types and uncheck User.
Click Advanced then Find Now and double-click the appropriate gMSA, click OK.
Clear out the Password and Confirm Password fields so that they are blank.
You should receive a prompt that the account was given the Log On As a Service right.
Stop and restart the service.
Repeat steps 2 through 10 for each additional SEP Manager service that is being changed to a gMSA.
Launch the SEP Manager and verify that you can successfully log in.
NOTE: If the SEP Manager is reinstalled or upgraded the virtual service accounts will be restored. You will need to repeat the steps to assign the gMSAs to each SEP Manager service post upgrade/install.