search cancel

Endpoint Protection Manager installation fails with "Failed to set Symantec Endpoint Protection Manager service account ACLs"

book

Article ID: 175025

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When installing the Symantec Endpoint Protection Manager, the initial install goes smoothly, but the Management Server Configuration Wizard (MSCW) fails at the "The database is being created and initialized" step between the 77% and 100% mark.

On-screen error is "Failed to set Symantec Endpoint Protection Manager service account ACLs"

Reviewing \Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\ConfigurationWizard-0.log shows error messages similar to the following:

2019-05-30 15:31:28.192 THREAD 31 WARNING: ACLUtil> executeSetACLExe >>Retrying...3 times. Command = ["C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\SetACL.exe", -on, HKLM\System\CurrentControlSet\services\semsrv, -ot, reg, -actn, clear, -clr, dacl,sacl, -actn, setprot, -op, dacl:p_nc;sacl:p_nc, -actn, ace, -ace, n:S-1-5-32-544;p:full;s:y;m:set, -ace, n:S-1-5-18;p:full;s:y;m:set, -ace, n:S-1-5-80-3958276243-2739099675-334681800-2039304502-2384811254;p:read;s:y;m:set]
2019-05-30 15:31:28.192 THREAD 31 INFO: ACLUtil> executeSetACLExe >> Started. Command = ["C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\SetACL.exe", -on, HKLM\System\CurrentControlSet\services\semsrv, -ot, reg, -actn, clear, -clr, dacl,sacl, -actn, setprot, -op, dacl:p_nc;sacl:p_nc, -actn, ace, -ace, n:S-1-5-32-544;p:full;s:y;m:set, -ace, n:S-1-5-18;p:full;s:y;m:set, -ace, n:S-1-5-80-3958276243-2739099675-334681800-2039304502-2384811254;p:read;s:y;m:set],Start time: Thu May 30 15:31:28 PDT 2019
2019-05-30 15:31:28.239 THREAD 31 INFO: ACLUtil> executeSetACLExe>> Finished. Return code = 1,Finish time: Thu May 30 15:31:28 PDT 2019
2019-05-30 15:31:28.239 THREAD 31 WARNING: ACLUtil> executeSetACLExe>> Process output:
SetACL 14.2.1031.0100 (c) Symantec Corporation
Processing ACLs for HKLM\System\CurrentControlSet\services\semsrv
Error: AdjustTokenPrivileges returned ERROR_NOT_ALL_ASSIGNED. Error code: 1300: Not all privileges or groups referenced are assigned to the caller.

2019-05-30 15:31:28.239 THREAD 31 INFO: ACLUtil> setACLs>> Fail to set permission(s) for Object = HKLM\System\CurrentControlSet\services\semsrv,Finish time: Thu May 30 15:31:28 PDT 2019
2019-05-30 15:31:28.239 THREAD 31 WARNING: com.sygate.scm.server.util.acl.ACLException: Failed to set ACL on object : HKLM\System\CurrentControlSet\services\semsrv
    at com.sygate.scm.server.util.acl.ACLUtil.setACL(ACLUtil.java:95)
    at com.sygate.scm.server.util.acl.generated.AccessControlList.apply(AccessControlList.java:252)
    at com.sygate.scm.server.util.acl.generated.OSObject.applyACLForMe(OSObject.java:276)
    at com.sygate.scm.server.util.acl.generated.OSObject.applyACLForMyFamily(OSObject.java:263)
    at com.sygate.scm.server.util.acl.SerialACLProcessorImpl.process(SerialACLProcessorImpl.java:43)
    at com.sygate.scm.server.util.acl.SEPMACLManager.applyAllACLsWithProcessor(SEPMACLManager.java:237)
    at com.sygate.scm.server.util.acl.SEPMACLManager.applyAllACLs(SEPMACLManager.java:153)
    at com.sygate.scm.server.util.acl.SEPMACLManager.applyAllACLs(SEPMACLManager.java:132)
    at com.sygate.scm.install.ui.MainFrame.setACLs(MainFrame.java:2267)
    at com.sygate.scm.install.ui.MainFrame.configureDB(MainFrame.java:2085)
    at com.sygate.scm.install.ui.MainFrame.nextBtnActionPerformed(MainFrame.java:4847)
    at com.sygate.scm.install.ui.MainFrame.access$500(MainFrame.java:312)
    at com.sygate.scm.install.ui.MainFrame$5$1.construct(MainFrame.java:4377)
    at com.sygate.scm.util.SwingWorker$2.run(SwingWorker.java:153)
    at java.lang.Thread.run(Thread.java:748)

 

 

 

 

Cause

The account being used to install the Symantec Endpoint Protection Manager is lacking the SeBackupPrivilege right, which is necessary for SetACL.exe to run properly.

Resolution

Assign SeBackupPrivilege to the account being used for installation.  This can be done by opening Local Security Policy, then Local Policies, User Rights Assignment, and Back up files and directories, then adding the user or group.

 

Attachments