Error: Endpoint Protection Manager Bridge Services "require user rights" or "...cannot read the required user rights"

book

Article ID: 170151

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After Symantec Endpoint Protection Manager (SEPM) 14.0.1 enrolls to the cloud, you see an error that indicates the appropriate user rights are not assigned to the Symantec Endpoint Protection Bridge services.

You see one of the following error messages in the Symantec Endpoint Protection Manager console, on the Cloud tab, under Troubleshooting > Installation Status:

Note: While these services might run at startup, it is only a temporary state until the domain policies are enforced.

Warning #1

Warning #2

Symantec Endpoint Protection Bridge services require user rights in Windows domain security policies. The Bridge services cannot run until you assign user rights to the services in the specified policies: Symantec Endpoint Protection Bridge cannot read the required user rights that are specified in the Windows domain security policies on this computer. The Bridge services cannot run if user rights are not assigned to Symantec Endpoint Protection Bridge services.

Example of message seen on the Installation Status page (click to Enlarge):

Cause

The Endpoint Protection Bridge installer automatically adds the required rights to local security policies. However, if the computer that hosts Endpoint Protection Bridge is a part of a domain, then domain policies override local policies. See Technical reference for more information on group policy precedence.

The error message indicates that domain policies are enforcing the privileges from the domain controller and do not contain the required user rights for Endpoint Protection Bridge during installation. The Endpoint Protection Bridge installer cannot assign user rights to domain security policies. Therefore, you must take manual action.

The following table summarizes Endpoint Protection Bridge's security policy requirements for Windows Server 2008 R2 / Windows 7 or later:

SEPM Service User Right Services to be added
Symantec Endpoint Protection Bridge Logon as Service
(SeServiceLogonRight)
NT SERVICE\SepBridgeSrv
NT SERVICE\SepBridgeUploaderSrv

Endpoint Protection Bridge services on operating systems earlier than Windows Server 2008 R2 / Windows 7 use the Network Service, for which default domain policies include privileges. You should ensure that any security policies used on the Endpoint Protection Bridge computer do not have the Network Service removed.

Note: These accounts need to be present only if you have defined any of the user rights in the policies. If any of the user rights are in a "Not Defined" state, you do not have to explicitly enable them or add Endpoint Protection Bridge accounts. If you have not defined any user right, Endpoint Protection Bridge will not include that user right in the alert.

Resolution

Warning #1: "...services require user rights in Windows security policies..."

This error message indicates that domain group policy objects (GPOs) are restricting which rights are assigned to virtual service accounts.

To learn more, see If user rights are missing.

Warning #2: "...cannot read the user rights that are specified..."

This error message indicates that the installer may not be able to determine whether the correct rights are assigned to virtual service accounts in domain GPOs.

To learn more, see If user rights cannot be determined.


Note: You must be a domain administrator, or coordinate with your domain administrator, to make changes to the affected domain GPOs.

To perform some of the steps below, you must install Group Policy Management Console (GPMC) on the machine where you install Endpoint Protection Manager. For more information see, Install the GPMC on Microsoft.com.

If user rights are missing

Perform the following tasks to make Endpoint Protection Bridge work:

  1. Identify the service accounts, user rights assignments, and domain GPOs you need to modify
  2. Change the domain policies and propagate them to the computer
  3. Recheck the policies or restart the services for Endpoint Protection Manager

There will be additional log entries in the following location:

  • SEPM_Installation_Folder\tomcat\logs\WindowsPolicyReviewer.hub.log 

SEPM_Installation_Folder represents the installation folder for Endpoint Protection Manager. By default, this folder is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager. Currently, Symantec Endpoint Protection Bridge is installed on the same machine as Endpoint Protection Manager.

I. Identify the service accounts, user rights assignments, and domain GPOs you need to modify

From the errormessage, make note of the missing service accounts. With the Troubleshooting pane on screen, press Control-C to copy the text of the message, which you can then paste it into a document.

  • The virtual service accounts
  • The domain GPOs
  • The user rights assignments required

For example, the alert message may read:

Group policy setting SeServiceLogonRight in 'New Group Policy Object-testB' does not contain [NT SERVICE\SepBridgeSrv, NT SERVICE\ SepBridgeUploaderSrv]

Note: In this example, the user rights appear in green, the domain GPOs in blue, and the virtual service accounts in red.

The required user rights are as follows:

  • SeServiceLogonRight (Logon as a service): Required by all Endpoint Protection Bridge services.

You must ensure that for the GPOs listed, all of the accounts listed are present in all of the user rights assignments mentioned.
 

II. Update the domain policies and propagate them to the computer

Note: The Symantec Endpoint Protection Manager Bridge is installed silently by the management console after cloud portal enrollment. Therefore, virtual accounts that correspond to Endpoint Protection Bridge services are not active yet when it’s installed. You can update domain policies using the steps below when you see the error message in the Symantec Endpoint Protection Manager, on the Cloud tab, under Troubleshooting > Installation Status.

Make the appropriate changes to the necessary domain GPOs with the Group Policy Management Console on your Active Directory server, or work with your domain administrator to make these changes. See Create and Edit a Group Policy Object on Microsoft.com to learn how to edit group policies.

To update the domain policy, follow these steps:

Note: These steps are for the Windows Server 2012 Server Manager. Other versions of Windows may vary slightly.

  1. Open Group Policy Management Console (GPMC).
  2. Locate the policy name mentioned in the alert box.
    Typically, it appears under the node Group Policy Objects, under your domain tree.
     
     
     
  3. Right-click the policy, and then click Edit to open the Group Policy Editor for this policy. 
  4. Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
    This lists all of the user assignments.
     

     
  5. Locate the user rights mentioned in the alert, and add the accounts mentioned in the message.
    These accounts are created locally on the Endpoint Protection Bridge computer after cloud enrollment is successful. However, they are virtual service accounts without predetermined SIDs, so you can add them to domain GPOs before they are created on the Endpoint Protection Bridge computer.
     
  6. Click OK.
    Note: After you update domain policies, ensure that the Endpoint Protection Bridge computer receives and applies them.
  7. On the Endpoint Protection Bridge computer, open an elevated command prompt (run cmd.exe as Administrator), and enter the following command:

    gpupdate /force

    This command refreshes all domain policies on this computer.

III. Recheck the policies or restart the services for Endpoint Protection Manager

  • The changes you make ensure that the Endpoint Protection Bridge runs reliably. You need to restart the Endpoint Protection Bridge services using the Service Control Manager after you make the policy changes.
  • After the Endpoint Protection Bridge services successfully starts, the Installation Status (under Cloud > Troubleshooting) displays Success.
     

If user rights cannot be determined

When the Endpoint Protection Bridge cannot read the domain policies, it does not provide the missing user rights in the error message. In this instance, you (or your domain administrator) should manually inspect the domain policies based on the user rights assignments guidelines provided above, and ensure all required rights apply to the Endpoint Protection Bridge services.

How to check domain policies manually

You can manually check for the presence of required accounts and privileges before you enroll Symantec Endpoint Protection Manager with the cloud portal.

To check domain policies manually, follow these steps:

  1. Log on to the Endpoint Protection Manager computer using domain admin credentials.
  2. Open a command prompt (cmd.exe) and enter the following command:

    Gpresult /scope computer /f /x c:\gpresult.xml

    This command writes the results of the command to a new file, gpresult.xml, at the root of the C: drive. The Endpoint Protection Bridge installer uses this command to retrieve the Windows domain policies. If this command fails, then the domain policy check fails during installation.
  3. Open C:\gpresult.xml and search for the privileges listed in the requirements noted above, under Cause.

If you find the privileges, then the domain GPOs do not enforce them. You do not need to make a change to domain GPOs.

If you do not find the privileges, but do not contain any of the Endpoint Protection Bridge accounts, then you must add them into the corresponding policy.

To determine which domain policy to modify, follow these steps:

  1. Open the gpresult.xml file.
  2. Navigate down the following XML tree to where you previously found the required privilege, to the Identifier tag:

    <Identifier>
    PrivilegeName

    Where PrivilegeName is SeServiceLogonRight.
  3. Note the value given within the Identifier tag. For example:

    {31B2F340-016D-11D2-945F-00C04FB984F9}

  4. Navigate the following XML tree, to the Identifier tag:

    <Identifier>

  5. Search for the identifier value found in Step 2.
  6. Navigate up the tree to the Name tag, which encloses the name of the policy you must modify.

    <Name>PolicyName
     
  7. You can now open the Group Policy Management Console (GPMC) and add the Endpoint Protection Bridge accounts with the required privileges, as noted above.

Technical reference

For more information, see the following Microsoft technical articles:

Attachments