search cancel

Minimum Privileges required for the Symantec Endpoint Encryption Active Directory Application Mode (ADAM) installation

book

Article ID: 151418

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

After installing ADAM for Symantec Endpoint Encryption on a domain member server, the server does not allow the NT service account to run. Other services are allowed to run using this account, but the ADAM service will not run using the NT service account . The NT service account is the service account that ADAM is supposed to use to run according to page 26 of the Symantec Endpoint Encryption Data Protection Platform installation documentation. A user account that has Domain Admin rights can run ADAM. Why would this be?

Resolution

An Administrator with sufficient domain privileges must create the two service accounts and groups and join the Windows 2003 server to the domain.. The service accounts created need no special domain privileges, but the passwords must be known to the ADAM installer. Typically a domain admin has all the rights needed to provision the accounts and join the server to the domain. The Administrator performing the ADAM installation needs Local Administration privileges on the member server. This is to allow the Administrator to run the installation program, create a service that runs in the system's Network Service Account, create local groups, and add domain groups to local groups. The ADAM service is installed to run as that computer's Network Service Account. The installation will attempt to create a Service Connection Point (SCP) on the server's object in the domain. Unless this privilege has been taken away from the Network Service Accounts for computers in the domain, it should be able to create the SCP.

If this permission has been taken away:
  • Option 1: Restore Network Service Account's permission that computer to create an SCP and perform the installation again after uninstalling ADAM and restarting.
  • Option 2: Allow the installation to continue, let the SCP creation fail, and have a domain administrator manually create the SCP using the procedure below.

    Note: After the installation of the SCP is complete, the ADAM service runs as that computer's Network Service account, and not with the privileges of the account that installed ADAM.

Manual SCP creation process:
  • If the SCP creation fails running as the Network Service Account for the computer, the installer will create an Lightweight Directory Interchange Format (LDIF) file in the C:\WINDOWS\DEBUG directory. The event log also refers to the LDIF file and how to use Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIFDE) to merge the file into the production domain, using domain admin privileges.