We have just upgraded recently from SEP 11 to 12.1.5.  I've noticed that the Symantec Embedded Database Service uses the account NT SERVICE\SQLANYs_sem5. 

The issue we are having is that are Wintel team, has a very strict AD policy in place which doesnt allow this account to automatically start the Embedded Database service, so everytime the server is rebooted we have to manually go in and start the service.

I've requested to have a seperate Symantec domain account be created in order to run this service, however i have been asked the level of permissions it requires, could someone be able to clarify this please?

Thanks,

John

Troubleshooting log on as a service permissions for Symantec Endpoint Protection Manager

http://www.symantec.com/business/support/index?page=content&id=TECH216042

Symantec Endpoint Protection Manager 12.1 RU5 and higher installs its services with reduced privileges and permissions

http://www.symantec.com/business/support/index?page=content&id=TECH224312

its a  feature of RU5

Symantec Endpoint Protection Manager 12.1 RU5 and higher installs its services with reduced privileges and permissions

http://www.symantec.com/business/support/index?page=content&id=TECH224312

You just need to add the account to the Log on as a Service properties.

Should be normal rights needed.

There isnt any special level of permissions... Just normal permissions to start it

Hi,

Thank you for posting your query in Symantec community.

I would be glad to answer your query.

SEPM services will now run under reduced privilege service accounts. The account used will depend on the platform the SEPM is installed on.

•    The “Network Service” account will be used for Windows Server 2003/2008, Windows XP 
•    Service Virtual Accounts will be used for Windows Server 2008 R2 or higher, Windows 7 / 8 etc. (e.g. NT Service\semsrv) 

This change is by design in order to reduce the privileges and permissions of the accounts which run the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.

TECH224312 can be provided as a reference article to the concern team. 

Thanks for the suggestions guys, i did try the above steps with the account our team has created called fj_symantec.  However after rebooting the SEPM the Embedded Database service just sits in a 'starting' state when using this account.

It is a windows 2008 R2 server, are there any specific groups this account would need to be part of?  I've added the account as a local admin on the server but still no effect.

under normal circumstances

 
<subhead style="font-size: 12pt; font-weight: bold; color: rgb(34, 34, 34); line-height: 20px;"></subhead>To edit the local policy settings

1. Open the Group Policy Editor. To open this program on most Windows operating systems, click Start > Run, and then enter gpedit.msc.
2. Under Computer Configuration, click Windows Settings > Security Settings > Local Policies > User Rights Assignment.
3. In the right pane, double-click Log on as a service.
4. In the Log on as a service Properties window, on the Local Security Setting tab, clickAdd User or Group.
5. Click Locations, click on the name of the computer, and then click OK.
6. Under Enter the object names to select, enter the following:
   • NT SERVICE\SQLAnys_sem5
   • NT SERVICE\semwebsrv
   • NT SERVICE\semsrv
7. Click OK, and then click OK again.
8.  
9. if your new account added to the above ?

Sooooo, the basic idea behind Virtual Accounts is to improve accountablity and visibility of actions performed by services that historically ran under the Local System account.

More info on Virtual Accounts can be found on the MS link below:

http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

As the others have already provided, adding these virtual accounts into the local security settings for the SEPM itself is pretty simple.  Domain accounts really shouldn't be required (as being able to authenticate to any machine in the domain is less secure to my mind).

If you want to avoid any policy amendements to accommodate Virtual Accounts, you are able to swap the SEPM services round back to using the Local System account if you want.

Thanks for the advice, i have changed the service to the Local System Account and rebooted the server but the Embedded DB service just sits in a 'Starting'.  This is why i had intially though about creating an independant account for the service.

Any ideas why the Embedded DB Service would start when using the Local System Account?

Thanks,

John

Try these setps John

https://www-secure.symantec.com/connect/forums/sepm-1215-embedded-database-services-status-starting-only

Just to confirm the situation then:

• The Embedded DB services gets stuck on "Starting" when attempting to run as either your domain account with "log on as a service" rights, or the "Local System" account
• It starts fine when running as the Virtual Account (please confirm you've gone back and successfully started as this account)

At first glance, it would suggest differences in permissions if the above is correct.  And yet, I'd personally be inclined to check out the err.log and out.log files of the Embedded DB.

Verify the properties of the Embedded DB service, make sure startup type is set to 'Auto'. 

Issue

 The Symantec Embedded Database service (SQLANYs_sem5) fails to start after installing or migrating to Symantec Endpoint Protection 12.1.5 (SEP RU5).

Error
In the Windows event log:
SQLANYs_sem5
Can't open Message window log file: D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\db\out.log

In the Upgrade-0.log:
The service SQLANYs_sem5 failed to be started.

In the Management Server Upgrade Wizard:
Setting
ACL...(100%)...Done
Error occurred

Cause
In SEP 12.1.5 (RU5), Symantec changed the SemSrv and SemWebSrv services to use service virtual accounts. These services are set to an UNRESTRICTED SID type, but the SQLANYs_sem5 service remains under the RESTRICTED category.

Solution
FIRST STOP ALL Symantec Endpoint Services!

Then use the following workaround to change the SID type to UNRESTRICTED, since we are using a service virtual account for the Symantec Embedded Database service as well.

Note: A permanent solution is targeted for SEP 12.1.5 RU5 MP1.

Check the SID type of the service
1.On the computer where SEPM is installed, click Start > Run.
2.Type CMD and click OK.
3.Type sc qsidtype SQLANYs_sem5
4.Verify that the following is returned:
[SC] QueryServiceConfig2 SUCCESS
SERVICE_NAME: SQLANYs_sem5
SERVICE_SID_TYPE: RESTRICTED

Change the SID type of the SQLANYs_sem5 service to UNRESTRICTED
1.On the computer where SEPM is installed, click Start > Run.
2.Type CMD and click OK.
3.Type cd "<Drive>:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin"

Note: Replace <Drive> with the drive that SEPM is installed on.
 
4.Type ServiceUtil.exe -changeservicesidtype 1 -servicename "SQLANYs_sem5"

Note: Running the command returns: "Change the semsrv service SID successfully." The string "semsrv" is hardcoded, but we are changing the SID type for the SQLANYs_sem5 service. Please disregard that message.
 
Verify that the SID type has changed to UNRESTRICTED
1.On the computer where SEPM is installed, click Start > Run.
2.Type CMD and click OK.
3.Type sc qsidtype SQLANYs_sem5
Start services
After following the preceding steps, start the following services:
(I ACTUALLY HAD To REBOOT the Server to get it to work)

•Symantec Embedded Database
•Symantec Endpoint Protection Launcher
•Symantec Endpoint Protection Manager
•Symantec Endpoint Protection Manager Webserver

Hi John_O,

Is there any update?

If you use Domain Policy, you can't add them to local policy - it'll be greyed out.  Instead, add the following accounts to your domain policy.

If you do this from a machine other than the SEPM server, it won't be able to validate the account, so install the Group Policy Management Console on the SEPM server and then find the account that way to add to the Domain Policy. 

Add these accounts:

NT SERVICE\SQLAnys_sem5

NT SERVICE\semwebsrv

NT SERVICE\semsrv