Cannot edit Enforcer Groups, or "Unexpected exception has occurred" errors are shown in the SEPM console

Article:TECH167924  |  Created: 2011-08-24  |  Updated: 2011-10-12  |  Article URL
Article Type
Technical Solution


When using the Symantec Network Access Control (SNAC) software, you see the following error in the Symantec Endpoint Protection Manager (SEPM) console, on the Admin - Servers tab:


An Unexpected exception has occurred  [Site: sitename]  [Server: servername]


Enforcer Group Properties may also be impossible to edit, with the console not responding if the option is selected.

Enforcer Groups may show the wrong icon in the console, displaying an orange LAN Enforcer icon for a Gateway or DHCP Enforcer group.



This can be caused by an Enforcer Group pointing to a policy that no longer exists in the database.

  • Use the dbvalidator.bat tool in the Tools subfolder of the directory where SEPM is installed. If the cause is the one listed above the following errors should be seen in the tomcat\logs\dbvalidator.log file afterwards:

  2011-08-24 12:13:21.333 INFO: *********************************************
2011-08-24 12:13:21.333 INFO: Following ids are not present in the database.
2011-08-24 12:13:21.333 INFO: *********************************************
2011-08-24 12:13:21.333 INFO: Link is broken for [1] target ids :
2011-08-24 12:13:21.333 INFO: TargetId:[63B1BB070A0A0A0A0196BE60C10BC667] TargetType:[SeEnforcerPolicy] ObjectTypeName:[ObjReference] ParentObjectTypeName :[EnforcerGroup] Parent's TopLevelObject's GUID:[9DDF2F4BC0A8010B0018DC0E2708BCD4]


If needed, search through the remaining dbvalidator.log for the TargetId (63B1BB070A0A0A0A0196BE60C10BC667 in the example above) to find out which Enforcer Group Name the error corresponds to:

    <EnforcerGroup CreationTime="1312794359742" Creator="" Id="97B73EC40A0A0A0A00DB4EB4B5663E62" ModifiedTime="1312794359742" Name="BROKEN_ENFORCER_GROUP" ..... >
  <ObjReference Name="EnforcerPolicyApplied" TargetId="63B1BB070A0A0A0A0196BE60C10BC667" TargetType="SeEnforcerPolicy" ...... />



To correct the problem, the Enforcer needs to be connected to a new Enforcer Group, and the problematic Enforcer Group needs to be deleted

  • Change the Enforcer group name from the Enforcer Command Line Interface (CLI)
    • configure spm group my_new_group
  • In the SEPM console, within a few moments the new Enforcer Group should be created, and the Enforcer should move away from the broken group leaving it empty.
  • Once the problematic Enforcer Group is empty, it should now be possible to delete it from the Admin - Servers tab within the SEPM console.

Article URL

Terms of use for this information are found in Legal Notices