Endpoint Protection

Just getting started on SEP 11 deployment.  Reading the Installation Guide.  On page 51, table 3-3 states for Vista/Server 2008/Win7 that "The account used to deploy client software must be a domain administrator, ..."

I can't believe that this is true, that to install this software I need have full domain admin rights.  I know that (at least with vista), being a member of the local admin account is not the same as being the local admin. 

Any thoughts on this?

 You have to be administrator.
Domain or Local whatever. But to install any program you need to be logged in as a Administrator.
However for remote deployment Domain Admin account is preferred so that its easier for you to put credentials once for all your clients in your domain.

For local install Local Admin ( is preferred ) however domain admin will be also good.

Yes that true, as when we are pushing the package over the network if we are using a user account they may not have necessary permssion needed for installation , that's the reason  we ask to use the domain administrator

After all, I'm not sure I'd trust my SEP admins to be Domain Admins and be able to mess with everybody's servers.

Isn't best security practice "least priviledge"?  Should we be using a domain user, that is a member of a domain group, that is a member of workstation local administrators?

Yes that should work  ,

 If it is a Administrator and has admin rights to install any other software then it will work with SEP.
Its not Symantec's recommendation its Microsoft recommendation as well..
Be it Local or Domain but it has to be administrator and should have full admin right on the machine on which you are installing SEP.

The manual states DOMAIN admin.  Symantec is asserting I need domain rights.  You should state the LEAST rights required.  I see customers posting regularly posting in the forums that they are doing x/y/z as Domain Admin when they shouldn't be.  Please don't encourage this behavior.

I asked because in VISTA and WIN7 - a member of the local admin group does NOT have the same rights as the actual Administrator account.

This actually differs from admin to admin..
One Admin with many hats will use domain admin credential.
However if there a specific team for AV ( Deployment ) they the company might come with stringent account priviledge and will to give the least.

However for deployment ease Symantec suggest to have Domain admin credentials. Local Admin account is the best for deployment but difficult for few to manage it on a larger environments.

Snekul - I agree.  Our company has 80,000 users and only 20 domain admins.  And none of them have desktop AV responsibilities.  Domain admin is also audited (PCI etc) and reported to the head of Identity management.

It's not hard to build out a local admin structure.  In my company, we add various domain-based groups to the local admin group.  e.g. in the domain/AD we have LCLAdmin_FEInstall, LCLAdmin_Helpdesk, etc.  We then add non-privledged domain user accounts to the appropriate domain-based group.   We have background processes that manage the groups (e.g. when your cost center <> helpdesk cost center you are automatically  removed from the LCLAdmin_Helpdesk group.

The workstation build process adds the appropriate domain LCLADMIN_* groups to the local Administrators groups.  (e.g. LCLAdmin_FEInstall is never a local admin on a server build).

Piece of cake to manage.

I noticed this as well when we set ours up.  They are basically taking the easy way out saying "Use a Domain Admin" account since they don't want to have to detail all the exact permissions that are needed.  This is very common in lots of application's instructions, since the Domain Admin account is about the only account that is going to be configured about the same in every domain.  Regardless, I don't like it.  We usually test ourselves to see what privilages are actually required, and I don't think we needed to do anything special for SEP.

Odds are, your accounts that are setup to be Local Admins on the workstations and have networking/remote access privilages (if applicable in your environment) will do just fine.  Just watch out for UAC causing problems.

Yeah, from my experiences, you'll do just fine with your setup.  That said, with the number of desktops you have, I'd suggest deploying to most workstations via group policy, SCCM, Alteris, etc.  Granted, there will be those "weird" workstations where you'll just want to take care of it through SEPM, but SEPM's deployment methods seem more like a "quick fix" for small shops and the bigger organizations should still use tried-and-true deployment methods.

We will be using MS/SMS and HP Radia (eventually just Radia).  I'd never get permission to add another software distribution tool the mix.  Radia does regular install verification and will reinstall/repair as needed.

On servers, our policy is to install 3rd party software to a location other than C:\Program Files - e.g. D:\apps\appname. 
Is this possible for
-- SEP 11 Client installs to servers?
-- SEP 11 Endpoint Protection Manager?

That should be fine.  I think any software distribution method is probably better then using the one in SEPM for large deployments :-).

How to create a Symantec Endpoint Protection install package that will install to a different drive 

in case of SEPM it is giving option at the time of installation to select the path you want to install SEPM.

Keep in mind, even when you do so, a lot of stuff still gets put in the Common Files folder of the Program Files folder.