After installing ADAM for Symantec Endpoint Encryption on a domain member server, the server does not allow the NT service account to run. Other services are allowed to run using this account, but the ADAM service will not run using the NT service account . The NT service account is the service account that ADAM is supposed to use to run according to page 26 of the Symantec Endpoint Encryption Data Protection Platform installation documentation. A user account that has Domain Admin rights can run ADAM. Why would this be?
An Administrator with sufficient domain privileges must create the two service accounts and groups and join the Windows 2003 server to the domain.. The service accounts created need no special domain privileges, but the passwords must be known to the ADAM installer. Typically a domain admin has all the rights needed to provision the accounts and join the server to the domain. The Administrator performing the ADAM installation needs Local Administration privileges on the member server. This is to allow the Administrator to run the installation program, create a service that runs in the system's Network Service Account, create local groups, and add domain groups to local groups. The ADAM service is installed to run as that computer's Network Service Account. The installation will attempt to create a Service Connection Point (SCP) on the server's object in the domain. Unless this privilege has been taken away from the Network Service Accounts for computers in the domain, it should be able to create the SCP.
If this permission has been taken away: