Quick, quick note on a long and tired day…
In trying to (re)install Symantec’s Endpoint Protection Manager on a client’s SBS server (obviously containing a DC and other roles) I received this message, shamelessly copied from Symantec’s KB article:
The message reads “Symantec Endpoint Protection Manager services require user rights in Windows domain security policies. The management console cannot run until you assign user rights to the services in the specified policies:”, in my case the GPO in question was the Default Domain Controllers Policy not giving NT Service\semwebsrv and NT Service\semsrv service accounts the SeServiceLogonRight permission as obviously would not be contained in that GPO.
The catch? I couldn’t add them – the GPO won’t let me add the account name because it doesn’t resolve, instead giving me the error The following accounts could not be validated: NT Service\semsrv:
Some quick research showed me the sc showsid <servicename> command. Thinking I’d be slick, I did a sc showsid semwebsrv and sc showsid semsrv, copied the SIDs and pasted them into the GPO, did a gpupdate /force and clicked the “Try Again” button in the Symantec window – problem solved.