Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Symantec Endpoint Encryption DC&RS Service accounts/Server Credentials

Created: 19 Feb 2013 | 4 comments

Ok, I know mostly from testing and a little from documentation that the Device Control and Removable Storage server credentials SHOULD be a domain admin account but suppose I didn't want that account to have privileges that high and only have local admin to the server machine running the Symantec software.  Also suppose that I want all of my AD service account passwords changed every 90 days for security reasons and I need to change the password of the service account running the RS and DC servers.  How could I effectively change the password so that the DC server and manager console will still work.  I have been trying to find a workaround for this but have not come up with a solid solution yet.  I have tried to change the server credentials temporarily to my AD credentials in DC and RS config wizard and then change the password for the original service account, then change it back to this service account in DC but it never works.  Where is the service account credentials stored that was used to install the server?  Is it in the database and cannot be changed?  If there is no way to accomplish this then I guess I will have to deal with it but I do need to have the password changed on this account every 90 days as set by our security policy.  Also I know how to change it everywhere in the RS config wizard, but is there anything else that I have to do after that?  Would I have to re-deploy a new copy of the framework package to all client machines?  I know I can't be the only one out there with these kinds of questions so would some one please help. 

On another note, I do suggest that Symantec change their documentation to include that not all functions will work if the server credentials are not domain admin and also list all of those functions.  I know that the documentation says that having domain admin privileges are recommended and that it is vital to the operation of the server but that information was not enough for me and it would take but one small paragraph to explain the information. 

Comments 4 CommentsJump to latest comment

Alex_CST's picture

The whole point of service accounts is to bypass that security hurdle.  You never need to change the password on service accounts, you simply put them in an OU that denies them the ability to log onto anything except what they need for the service they are being used for

Please mark posts as solutions if they solve your problem!

David.H's picture

Yes, I understand the point of service accounts, but our organization has set that security policy and I can't do anything about it.  We have had our security audits every year and just this last year we got dinged on the fact that our service account passwords had never been changed in X number of months/days so they set it up so that we have to change them.  So that is why I am trying to find out any information that I can so that I can do this.  If there is no solution or the solution is way to cumbersome to go through with, then I will just have to explain it to management so that we don't have to worry with it anymore. 

SMLatCST's picture

Regarding RS:

Of the three service accounts potentially in use (DB/AD/IIS) none of them need domain admin rights.  The DB and AD creds are relatively simple to change the passwords for, in that they would need to be updated in the SEEMS Configuration Wizard to take effect.  If the creds for the IIS Check in account are changed, they must be updated in the SEEMS Configuration Wizard, and a new Framework Client package must be exported (which contains the new credentials) and all SEE clients must be upgraded with the new package.

Regarding DC:

The account credentials are fairly easy to change here, so I'm unclear as to how changing the creds for SEE-RS are affecting SEE-DC.  It is important to note that they are separate products, so should be using different service accounts.  From what I recall, domain admin rights are required for SEE-DC to be able to push policies via GPO and/or make WMI calls to the client.

David.H's picture

I think I may have been somewhat unclear on what I am trying to accomplish, and thanks for those two links.  
Regarding RS: 

I have successfully changed the credentials in the config wizard and everything is running ok.  Both RS and DC are using the same service account. 

Regarding DC:  Right now the service account has local admin on the server so that I could install the software on the server without having the domain admin permissions.  

I can change the server credentials, that part is pretty easy, but the hard part is when the first service account password is changed.  Here is what I did:  Opened DC Manager Console and signed on with my windows credentials(located in the admin group i created for managing the DC console).  Changed the Server Credentials to my Windows account (which is domain admin so the server will still function).  After this the server still operates normally, but if I or anyone else changes the password to the service account that was first used and also used to install the server, then you can't get back into the console and the services will not run.  The only way to fix it is to change the original service account password back to the previous one.  

I want a way to be able to change the password on the service account without having the services fail or the manager console to fail when logging on.  I am not really worried about the account having domain admin at this time as I have found a way around it.  We are using the native policies and the client logs are still sent to the server like they should be, I just can't issue the command of retrieve logs from any client.