Wednesday, February 18, 2015

Too many access denied files by manual/schedule scan of Symantec Protection for SharePoint Server

Hello all,
with this post I would like to reveal another mystery with Symantec Protection for SharePoint server!
If you choose to use different account than SharePoint Farm account as SPSS service account you need definitely to know that the following link from Symantec about the minimum permissions need is NOT full!!!
For one of our customers we have the situation where the customer would like to follow Best Practices of Microsoft for SharePoint 2013 Server and in order to accomplish this task we created SPSS service account and assign all the permissions, mentioned in aforementioned article and the result was: 


The first feel was "Symantec are you kidding me"? Almost all files couldn't be scanned.
All permissions are granted and the manual or schedule scan of Symantec Protection for SharePoint is not working. Opening a case to Symantec did not help too. 
Then I decided to troubleshoot this one and find a permanent solution. First think was to set the trace log level to verbose and found out inside the ULS logs too many access denied messages. In a while I decided to grant the SPSS service account Full Read or Full Control to all Web Applications inside the Central Admin:

 And voilĂ :

SPSS could now scan almost all files. There are still access denied files, but they are not so many and it is normal. 
So as a conclusion in case you would like to run SPSS under different account than SharePoint Farm account you need to keep this missing information in mind.

No comments:

Post a Comment