Use Group Managed Service Accounts for Endpoint Protection Manager services
search cancel

Use Group Managed Service Accounts for Endpoint Protection Manager services


Article ID: 171698


Updated On:


Endpoint Protection


For various security reasons it may be desirable to use Group Managed Service Accounts (gMSA) for Symantec Endpoint Protection (SEP) Manager services instead of the virtual service accounts created during install (i.e. NT SERVICE\semsrv, NT SERVICE\semwebsrv, etc.).


Symantec Endpoint Protection Manager installed on Windows Server 2012, or newer
Windows 2012 Domain Controller



In order to leverage Group Managed Service Accounts for SEP Manager service use, the following requirements must be met:

  • At least one Windows Server 2012, or newer, Domain Controller
  • A Windows Server 2012 or Windows 8 machine with the Active Directory Module for Windows PowerShell - Used to create the gMSAs.
  • SEP Manager pre-installed onto a Windows Server 2012, or newer, domain member to run/use the gMSAs.


Instructions to create gMSAs:

Create the KDS Root Key

  1. Launch Windows Powershell on the Server 2012 Domain Controller.
  2. Enter the following to generate the KDS Root Key:
    • Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
  3. This should return a GUID value if successful.

Create and configure gMSAs

  1. Create a security group and add the computer object(s) for the SEP Manager(s) for the gMSA.
    • Using a security group provides more efficient management capabilities than creating gMSAs for each server.
  2. Launch the Active Directory Module for Windows PowerShell and enter the following to create the gMSAs:
    • New-AdServiceAccount -name <ServiceAccountName> -DNSHostName <fqdn> -PrincipalsAllowedToRetrieveManagedPassword <group>
      • Replace <ServiceAccountName> with the values of semsrv, semwebsrv, semapisrv, SQLANYs_sem5, SepBridgeSrv and SepBridgeUpldr as appropriate and for each gMSA you wish to create.
      • Replace <fqdn> with the fully qualified domain name for the SEP Manager server.
      • Replace <group> with the name of the new security group created in step 1.
  3. Repeat the above command for each SEP Manager service (i.e. semsrv, semwebsrv, etc.).
  4. Launch the Active Directory Administrative Center (ADAC) and expand your domain > Managed Service Accounts to see the newly created gMSAs.
  5. Edit the properties for each gMSA and add the security group created in step 1, ensure the security group has Read permissions then click OK.
  6. Reboot each SEP Manager server.

Assign gMSAs to SEPM services:

  1. On the SEP Manager server open services.msc.
  2. Edit properties for the Symantec Endpoint Protection Manager service.
  3. Click the Log On tab.
  4. Click the Browse button.
  5. Click the Location button and select Entire Directory, click OK.
  6. Click Object Types and uncheck User.
  7. Click Advanced then Find Now and double-click the appropriate gMSA, click OK.
  8. Clear out the Password and Confirm Password fields so that they are blank.
  9. Click OK.
    • You should receive a prompt that the account was given the Log On As a Service right.
  10. Stop and restart the service.
  11. Repeat steps 2 through 10 for each additional SEP Manager service that is being changed to a gMSA.
  12. Launch the SEP Manager and verify that you can successfully log in.

NOTE: If the SEP Manager is reinstalled or upgraded the virtual service accounts will be restored. You will need to repeat the steps to assign the gMSAs to each SEP Manager service post upgrade/install.

NOTE: SEP Manager doesn’t support gMSA account for SQL Database Authentication