Endpoint Protection

Hi

I've recently updated my SEPM to 12.1.5 version, when it finished it worked perfectly, but when I restarted the server (when updated the SEP client) the services Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver didn't started.
I found the document Troubleshooting log on as a service permissions for Symantec Endpoint Protection Manager that indicates that the accounts NT SERVICE\semwebsrv and NT SERVICE\semsrv needs to be part of the policy Log On As a Service. The problem is that we have Domain Policy's that overwrites the local policy's and I can't add those accounts in Domain Policy.

Besides to remove the Domain Policys, is there another way to run the services with or without that services?

Thanks

May want to get some direction from support on this

AFAK these services run under virtual accounts that do not exist ouside of the machine on which they were created.  These should have been given the appropriate rights on creation (by the SEPM installer).

Maybe try a repair of the SEPM?

Otherwise, you could try amending via the Local Security Policy, or amending the services to Local System (which is what both originally ran under pre12.1ru5).

Oh yeah, the above was provided as information, I agree with Brin that a support case is probaby the preferred way forward (Thumbs Up! )

Hi,

please use the following to fix the issue:

1. Go to your AD controller and open the Group Policy Management
2. Go to WMI Filters and create a new one like "SEPM 12.1 RU5 virtual accounts"
3. Klick on "ADD"
4. Keep the existing Namespace (root\CIMv2)
5. Please insert the following to Query:
   SELECT * FROM Win32_ComputerSystem where Name=’SEPMSERVERNAME’
6. Klick "OK" and "SAVE"
7. Create a new GPO like "0_SERVERPOLICY_SEPM_virtual_accounts" which is linked to the OU which contains the SEPM Server
8. Edit the GPO, deactivate "User Policy Setting" and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
9. Go to "Log on as a service" and edit the policy
10. Klick on "Add User or Group" and change the location to the local computer
11. Enter the Name of the User Account with the following syntax "SEPMSERVERNAME\semsrv" and then press "Check names"
12. the user on the local System should now be within the GPO

If this doesn't help please open a Support Case.

I have the same trouble and followed tknorr's steps above.  That did not work.

SEPM server is Windows 2012 R2.

Any other options other than moving the server into its' own OU and unique GPO setup so we can modify the  "Log on as a service" permission locally on the server?

Thanks...CN

Well, I opened a case with Symantec and the solution was: Change the services as Local System Account. I did it and they are working fine.

NOTE: Once you change this, you CAN'T configure again the accounts, unless you know the password for semwebsrv and semsrv accounts.

Regards

Did some more testing and found out you can use group "NT SERVICE\ALL SERVICES" in Group Policy Object to correct this issue.

Not sure the security ramifications of this group so BEWARE.  The group corresponds to SID S-1-5-80-0 ​and more info can be found here http://support.microsoft.com/kb/243330.

Not sure the security ramifications of this group so beware.  The group corresponds to SID S-1-5-80-0 ​and more info can be found in MS KB243330.

Must admit, I did kind of expect that to be the answer (as per my first post).

Oddly enough, the MS steps for creating Virtual Accounts (not Managed Service Account) are ridiculously simple:

http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

IF you want to verify the Accounts on Domain controller, you will only find the SID's for the hidden Service Accounts.

You can go through the SEPM and open a CMD with administrative rights and enter the following:

sc showsid semserv

This will give you the SID of the NT SERVICE\semserv account.

Do the same for the NT SERVICE\semwebsrv.

Hi Tknoit

Once I've changed the services as Local System Account, is there any way to return it to the NT SERVICE\semwebsrv accounts?

Thanks!!

Did you read the MS link I posted?

It is as simple as locating the service, and changing the creds in the "Log On" tab to "NT SERVICE\<ServiceName>" (so in the case of tomcat part of SEPM, the logon creds would be "NT SERVICE\semsrv") with no password.  Restart the service and you're done.

Obviously this is a fairly recent addition (Win2k8R2), so these steps are not going to work on older OSs.  For reference, here's that MS link again.  Just jump down to the "Virtual Accounts" section:

http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

Hi all,

the solution works for me fine. One thing i forgot to explain is, that you have to install the Group Policy Management Console on the SEPM.

Then follow the steps:,

1. Go to your SEPM and open the Group Policy Management
2. Go to WMI Filters and create a new one like "SEPM 12.1 RU5 virtual accounts"
3. Klick on "ADD"
4. Keep the existing Namespace (root\CIMv2)
5. Please insert the following to Query:SELECT * FROM Win32_ComputerSystem WHERE Name = 'SEPM SERVERNAME'
6. Klick "OK" and "SAVE"
7. Create a new GPO like "0_SERVERPOLICY_SEPM_virtual_accounts" which is linked to the OU which contains the SEPM Server
8. Edit the GPO, deactivate "User Policy Setting" and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
9. Go to "Log on as a service" and edit the policy
10. Klick on "Add User or Group" and change the location to the local computer
11. Enter the Name of the User Account with the following syntax
    NT SERVICE\semwebsrv and NT SERVICE\semsrv
12. the user on the local System should now be within the GPO
    
     
13. Please assign the WMI to this GPO object.
    
    

If this doesn't help please open a Support Case.

Hi I tried to change the services as local system account but embedded database services stack-up to "starting staus".

Ray

had the same problem and I use Group Policy to manage "log on as a service" as well

simpley deleting the service login passwords for the 3 symantec services that would not start fixed it for me

Later I might try and create a domain service account and scope it out to that server but for now this seems ok

Has anyone been able to confirm TKNORR's solution works? Also, you can change the Log on as service account to the Local System Account and you will be able to start the service and access SEPM. 

My only problem is once I get into SEPM, all of my clients are offline and will not communicate with the server through port 8014... you can test this by going to http://192.168.1.2:8014/secars/secars.dll?hello,secars, if it works you will get an OK. 

For me it will resolve but I never get the OK. I am thinking this is due to me changing the Log On As account to Local System Account?!

Also, you can change it back to the default virtual service accounts for Log on as by running upgrade.bat.

As suggested above;

You can just run a SEPM repair from add/remove programs and it will readd the 2 SEPM Virtual Services accounts back to the run as a service location in the GPO.  We are experiencing this same difficulty because there is a GPO that prevents me from adding the accounts back to the GPO manually.  I've even elevated gpedit.msc on the local server under NT Authority\System and I still cannot add those account manually.  I am working with my domain admins now to allow these virtual service accounts.  

Again, I'd highly recommend reviewing the MS link I posted earlier, as it sounds like you're after the Managed Service Account option rather than the Virtual Accounts the SEPM natively tries to implement.

Tknorr thank you very much for posting, this resolved my issue.

I contacted Symantec support opened up a support case and got someone overseas I was on the line with him for about 3 hours and was not able to help me at all. I then spoke to Supervisor that directed me to Microsoft to resolve the issue. What a joke.

I know your marked as a Symantec employee and I just wanted to take the time to thank you for your detailed instructions that help me resolve this issue in 25 minutes instead of the 3 hours that got me no-where.

Hi IT's

I run in the same problem after upgrading SEPM 12.1.4 to 12.1.5.

I am using GPO for control "logon as service" like all other here.

What I did after reading to your comment is just this:

Create two new AD users - semsrv and semwebsrv - normal users with passwd never change and strong passwd;

Do not use admin accounts - there is a reason/issue why Symantec has change to run the services as not priv. accounts.

Add the new users to my GP which controls the policy "logon as service" ;

Apply GP to the SEPM server, in my case WIn2012R2; (gpupdate /force)

Change the service accounts of the sepm services to the new accounts;

Start the services;

This is all;

We are using SQL server, not the embedded DB. Sorry

Regards,