I have added the Active Directory servers to the Symantec Manager and created a user which currently doesn't work but we know why so this part I'm not so worried about as we've got it working on other accounts we manage. The Symantec documentation states that a Domain Admin account is required and with the current work i am doing the client is not happy to hand out a Domain Admin account as you can imagine. They have therefore asked the following:

What does the Active Directory connection do and how does it work? I can't find it documented or maybe I am looking in the wrong place?

Does the user in the setup have to be a Domain Admin or will a lower privelege user work? I'm assuming this would depend on what is being done by Symantec to find the user in the above part?

Many thanks

Tim

This should explain everything you need

Organizational Units from Active Directory in Symantec Endpoint Protection 11.0

http://www.symantec.com/business/support/index?page=content&id=TECH102546

Don't do it!  It will cause you nothing but trouble.

It is very difficult to disable Active Directory integration once you start.  

Rafeeq,

Thanks for your update but I don't want to import the AD structure into my SEPM as that would be madness in the current project I'm working on!! I just want create Admin users for Support purposes that relate to users in AD to log onto the SEPM. I needed to know how the connection works and what "lookup" is carried out?

Cheers

Tim

check this document; let me know if you need anything else.

How to Login to Symantec Endpoint Protection Manager using your Active Directory User name and password

http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/05224c9dda7f295eca25742e0018cf01?OpenDocument

I use SEP with AD integration and I love it.

Rafeeq,

I've read all of these and they don't tell me what I need to know. The customer I am doing this for will not provide me with a Domain Admin user to fo this unless I tell them exactly what interaction there is between the SEPM and AD for users logging onto the SEPM Console and if it reallyneeds to be a Domain Admin or if a lower privelege users can do the same thing?

Cheers

Tim

For logging in to SEPM; you use your AD authentication.

This can be any user who has ID in the AD..

We have a user in AD called SEPAdmin. when loggin in we use this ID;

Inside SEPM you can make this ID a limited admin to SEPM or full admin;where he can just view reports..

Need not have to be Domain admin; 

Raffeq,

As I stated earlier, I don't think you are understanding what I mean.

According to Symantec documentation the user required for adding the AD Servers into SEP needs to be a Domain Admin to allow the integration to function. I need to know if this is true as the customer are relunctant to give me Domain Admin access and want to know if it can be done with a more limited access user.

Is this Domain Admin User required to just configure access to AD or to clarify the user exists in AD, and once you have created a user in the SEPM and then log in using this user id it just a lookup that is carried out to AD to verify the user?

Cheers

To ADD the AD info, Yes Domain admin account is needed.

This is needed to configure the access to AD.

It does not check for user existance. this should exist in AD

in the backgroup it will pass the user credential info to AD ...if exists and password is correct you wil be able to log in , 

 and once you have created a user in the SEPM and then log in using this user id it just a lookup that is carried out to AD to verify the user?

You can use either the Active Directory User name in this field, or any other User name desired. For clarity, it is recommended to use the Active Directory name for the AD account you intend to tie to this log in.

This will not check when you create the User; it will pass the log on info to AD..