Set the permissions manually for the SMSMSE Admins and SMSMSE Viewers groups.
SMSMSE Folder permissions:
The SMSMSE Admins group should have Full rights on following folders, and SMSMSE Viewers would have read permissions.
<SMSMSE Install path>\SMSMSE\<version>\Server
<Microsoft.NET Framework path>\v2.0.50727\Temporary ASP.NET Files
C:\Program Files (x86)\Symantec\SMSMSE\7.5\Server
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
SMSMSE Registry permissions:
The SMSMSE Admins group should have Full Control permission to following registry keys, and SMSMSE Viewers should have read permissions on the same registry keys.
Same applies for the Exchange VSAPI registry key:
SMSMSE DCOM permissions:
- Open “Component Services”
- Click on Start -> Administrative Tools -> Component Services.
- Expand component services -> Computers -> My Computer -> DCOM Config.
- Locate the components SMSMSEGUI class and SAVFMSEStatsManager.
- Go to the properties of these components and check “Launch and Activation Permissions” and “Access Permissions” as shown in the picture below.
SMSMSE Admins and SMSMSE Viewers should have following permissions on SAVFMSESpamStatManager and SMSMSEGUI Class DCOM components.
Launch and activation permission:
SMSMSE Permission on SMSMSE Web service:
As per the above picture make sure that SMSMSE Admins have full rights and SMSMSE Viewers have read rights on “Symantec Mail Security for Microsoft Exchange” web service. Also make sure that Windows Authentication is enabled on this web service.
Exchange 2010, 2013 and 2016 service account permission requirements:
On Exchange 2010, 2013 and 2016 the SMSMSE service runs under a domain user service account; the following are the permissions granted during the installation process and some are pre-requisite:
- Service account should be member of Exchange Organization Management security group – pre-requisite
- The “Application Impersonation” RBAC role should be assigned to the service account – Installer creates this role for service account
- The service account should have a mailbox for Public folder enumeration and scanning to work – pre-requisite
- The service account should be member of SMSMSE Admins group – This is post installation task to be performed by user.
The SMSMSE console can be installed on any machine which is a member of the same domain as the server install. Give full permissions to both SMSMSE Admins and SMSMSE viewers group on “<Install path>\Symantec\CMaF\<version>” folder.