Do the protect accounts need to be in the local admin group?

book

Article ID: 160175

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Do the protect accounts need to be in the local admin group?

Resolution

When the DLP product is installed a service account named 'protect' is created by the installation and placed in the local 'users' group.

At the same time another service account named 'protect_update' is created by the installation and placed in the local 'Administrators' group.

The 'protect_update' account needs to be in the local admin group because when it comes time to push out updates and hotfixes, if this account is not in the local admin group the installation will fail.

 

It is also important that the 'protect' user account NOT be a member of the local admin group.  If the 'protect' user account is a local admin, an upgrade will fail because we use the 'protect' user to kill java processes.  A local admin can kill the updater.