SEPM Configuration Wizard fails with "Failed to set Symantec Endpoint Protection Manager service account ACLs"
Article ID: 276941
Updated On:
Products
Issue/Introduction
While running wizard below error is seen and wizard can't complete:
The ConfigurationWizard-0.log shows below error:
1-24 16:00:37.209 THREAD 30 WARNING: ACLUtil> executeSetACLExe >>Retrying...1 times. Command = ["C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\SetACL.exe", -on, C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat, -ot, file, -actn, clear, -clr, dacl,sacl, -actn, setprot, -op, dacl:p_nc;sacl:p_nc, -actn, ace, -ace, n:S-1-5-32-545;p:list_dir;s:y;m:set, -ace, n:S-1-5-32-544;p:full;s:y;m:set, -ace, n:S-1-5-18;p:full;s:y;m:set, -ace, n:S-1-5-32-547;p:change;s:y;m:set, -ace, n:S-1-5-13;p:read_ex;s:y;m:set, -ace, n:S-1-5-80-3958276243-2739099675-334681800-2039304502-2384811254;p:full;s:y;m:set, -ace, n:S-1-5-80-1625573271-3360770164-1808504902-59951099-39959922;p:full;s:y;m:set, -ace, n:S-1-5-80-948765316-811284391-187558744-2005173589-387111393;p:full;s:y;m:set, -actn, rstchldrn, -rst, dacl,sacl]
2023-11-24 16:00:37.209 THREAD 30 INFO: ACLUtil> executeSetACLExe >> Started. Command = ["C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\SetACL.exe", -on, C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat, -ot, file, -actn, clear, -clr, dacl,sacl, -actn, setprot, -op, dacl:p_nc;sacl:p_nc, -actn, ace, -ace, n:S-1-5-32-545;p:list_dir;s:y;m:set, -ace, n:S-1-5-32-544;p:full;s:y;m:set, -ace, n:S-1-5-18;p:full;s:y;m:set, -ace, n:S-1-5-32-547;p:change;s:y;m:set, -ace, n:S-1-5-13;p:read_ex;s:y;m:set, -ace, n:S-1-5-80-3958276243-2739099675-334681800-2039304502-2384811254;p:full;s:y;m:set, -ace, n:S-1-5-80-1625573271-3360770164-1808504902-59951099-39959922;p:full;s:y;m:set, -ace, n:S-1-5-80-948765316-811284391-187558744-2005173589-387111393;p:full;s:y;m:set, -actn, rstchldrn, -rst, dacl,sacl],Start time: Fri Nov 24 16:00:37 EET 2023
2023-11-24 16:00:39.459 THREAD 30 INFO: ACLUtil> executeSetACLExe>> Finished. Return code = 1,Finish time: Fri Nov 24 16:00:39 EET 2023
2023-11-24 16:00:39.459 THREAD 30 WARNING: ACLUtil> executeSetACLExe>> Process output:
SetACL 14.3.8259.5000 : Copyright (c) 2020 Broadcom. All Rights Reserved.
Processing ACLs for C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat
Processing ACLs for C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat
Processing ACLs for \\?\C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin
Processing ACLs for \\?\C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\ajaxswing.jar
Processing ACLs for \\?\C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\ajaxswing_paths.bat
Processing ACLs for \\?\C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\ajsApache.jar
Processing ACLs for \\?\C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\ajsForJava.jar
Processing ACLs for \\?\C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\ajsJava.jar
Processing ACLs for \\?\C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\asboot.jar
Procmon shows "ACCESS DENIED" for specific file:
Environment
File permissions in Properties -> Security tab for this file were corrupted:
Cause
The file(s) in question have corrupted permissions.
Resolution
1. Take a backup of your working configuration:
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-management-servers-sites-and-databases/disaster-recovery-best-practices-for-endpoint-prot-v18588940-d15e2803.html
2. Add the Administrators to the users that have access to this file:
3. Then run command to restore the file permissions.
icacls "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\success.jpg" /reset
After that the file properties should looks similar to this:
Additional Information
Proceed similar to the other files/directories that have same problem.
Feedback
