Symantec Endpoint Encryption requires the following accounts. Each account should use a separate username. It is particularly important that the IIS client authentication account is unique.
Database creation account
You must have an account that can access Microsoft SQL Server so that you can install and configure the Symantec Endpoint Encryption Management Server. You can either use a Microsoft Windows domain account or a Microsoft SQL account.
If you use a Microsoft Windows domain account, it must have local administrator rights on the Symantec Endpoint Encryption Management Server computer.
If you use Microsoft SQL authentication, Symantec Endpoint Encryption uses this account to create and configure the Symantec Endpoint Encryption Management Server database during installation. Symantec Endpoint Encryption does not store the credentials for this Microsoft SQL account.
The account login requires the following roles:
Database Access account
The database access account is used by the Symantec Endpoint Encryption Services web site (web service) to interact with the Symantec Endpoint Encryption database. The Configuration Manager also uses this account. You can either use Microsoft Windows authentication or Microsoft SQL authentication. Symantec recommends that you use Microsoft Windows authentication for your database access account.
If you use Microsoft Windows authentication you must provide an existing Microsoft Windows domain account. It should not be an administrator. It does require privileges on the database, registry, and the file system. If you use Microsoft Windows authentication for database access account, the account is also used as a logon account for the AD Synchronization service.
If the login that you specify for your database access account does not exist, the installer creates and configures the login and the corresponding database user. If the login already exists, then you have an option to use it. The installer creates the corresponding database user is created and configured for you by installer. The database access account requires the following database roles:
The installer also grants the database access account Execute permission.
Note: See the following article for how to set up the rights for the database access account.
IIS client authentication account
Each client computer shares a single domain user account. It uses this account for basic authentication to IIS on the Symantec Endpoint Encryption Management Server. The IIS client authentication account is a regular domain user account and does not require specific privileges.
Policy Administrator account
Policy Administrators require read-write access to the Symantec Endpoint Encryption database. You can use either a Microsoft Windows or a Microsoft SQL account. This account lets the Policy Administrator use the snap-ins of the Management Console.
If you choose to use a Microsoft Windows account for database access, you can create a Policy Administrators group to make administration easier.
Active Directory synchronization account
Synchronization with Active Directory requires a domain account. The Active Directory synchronization service uses this account to bind to Active Directory. You may need to extend the account's privileges to include read permissions to the deleted objects container in Active Directory.
Note: When you install, if you select the option to use an existing database, make sure that the database access account (Windows/SQL) conforms to the roles and permissions that are specified above. If it does not, then you must manually provision the account.
Symantec Endpoint Encryption Management Server Upgrades
During a server-upgrade scenario, the database account requires the following roles: