Endpoint Encryption requires the following accounts. Each account should use a separate username. It is particularly important that the IIS client authentication account is unique.
Symantec Endpoint Encryption 11.3 and above.
Database creation account
You must have an account that can access Microsoft SQL Server so that you can install and configure the Endpoint Encryption Management Server. You can either use a Microsoft Windows domain account or a Microsoft SQL account.
If you use a Microsoft Windows domain account, it must have local administrator rights on the Endpoint Encryption Management Server computer.
If you use Microsoft SQL authentication, Symantec Endpoint Encryption uses this account to create and configure the Endpoint Encryption Management Server database during installation. Endpoint Encryption does not store the credentials for this Microsoft SQL account.
The account login requires the following roles for a new install and for upgrading to releases prior to 11.3.1:
When upgrading to release 11.3.1 and above, the account login requires the following roles:
Database Access account
The database access account is used by the Endpoint Encryption Services web site (web service) to interact with the Endpoint Encryption database. The Configuration Manager also uses this account. You can either use Microsoft Windows authentication or Microsoft SQL authentication. Symantec recommends that you use Microsoft Windows authentication for your database access account.
If you use Microsoft Windows authentication you must provide an existing Microsoft Windows domain account. It should not be an administrator. It does require privileges on the database, registry, and the file system. If you use Microsoft Windows authentication for database access account, the account is also used as a logon account for the AD Synchronization service.
If the login that you specify for your database access account does not exist, the installer creates and configures the login and the corresponding database user. If the login already exists, then you have an option to use it. The installer creates the corresponding database user is created and configured for you by installer. The database access account requires the following database roles:
The installer grants the database access account Execute permission but if you are creating a database access account after installation you will need to grant the Execute permission on the SEEMSDb database to the database access account manually.
Note: Please see article 178363 for how to set up the rights for the database access account.
Tip: In addition to the above permissions, the SQL Server service needs to have the proper permissions to be able to use with Symantec Endpoint Encryption. Local Service will not be enough permissions for Symantec Endpoint Encryption.
IIS client authentication account
Each client computer shares a single domain user account. It uses this account for basic authentication to IIS on the Endpoint Encryption Management Server. The IIS client authentication account is a regular Domain User account and does not require specific privileges.
Policy Administrator account
Policy Administrators require read-write access to the Endpoint Encryption database. You can use either a Microsoft Windows or a Microsoft SQL account. This account lets the Policy Administrator use the snap-ins of the Management Console.
If you choose to use a Microsoft Windows account for database access, you can create a Policy Administrators group to make administration easier.
Active Directory synchronization account
Synchronization with Active Directory requires a domain account. The Active Directory synchronization service uses this account to bind to Active Directory. You may need to extend the account's privileges to include read permissions to the deleted objects container in Active Directory.
Note: When you install, if you select the option to use an existing database, make sure that the database access account (Windows/SQL) conforms to the roles and permissions that are specified above. If it does not, then you must manually provision the account.