How to change Manage Group permissions for Limited Administrators in SEPM for multiple groups.

Article:TECH92651  |  Created: 2009-01-02  |  Updated: 2009-01-10  |  Article URL
Article Type
Technical Solution



Large enterprise environments may have hundreds or even thousands of client groups (e.g. import from Active Directory). When creating a Limited Administrator to manage a small number of groups, the default is set to Full Access to all groups and subgroups. If there are many groups, it can take a long time to go through them all one at a time to set all the groups to No Access.


The following procedure outlines steps to change the access rights for multiple groups at once:

Login to the Symantec Endpoint Protection Manager -> Admin button -> Administrators panel -> Add Administrator task:

Or, if the Limited Administrator has already been created you can just select the Administrator and click on Edit Administrator Properties -> Access Rights tab -> Manage groups check box -> Group Rights.. button.

When this window appears Do Not highlight the group you want to change the access rights to:

Right-click the appropriate top level group and choose, "Set No Access to this group and all subgroups." If you do this from the My Company group then all the subgroups will be set. Then it is much easier to configure the smaller number of groups you actually want the Limited Administrator to have access to.

Technical Information
The "Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control" that is included in SEP 11 MR 4 discusses the default rights of a Limited Administrator on page 75, "By default, limited administrators do not have any access rights. You must explicitly configure reporting rights, group rights, command rights, and policy rights for this type of administrator." Note that this refers to not checking the boxes next to any of the main roles: View Reports, Manage Groups, Remotely run commands or Manage Policies. If these are left unchecked, a warning is displayed that the account will be created, but deactivated. The net result is if that account attempts a login, it will be refused and have no access to SEPM at all. Once a role is chosen, then the login will work and will only access the abilities that it has been granted.

As of MR4 MP2: When you select a Limited Administrator, choose Edit Administrator Properties, the Help screen for the "Administrator Properties for" now states: "The default enables limited administrators to have full rights over all groups". This addresses concerns for some customers who feel this was understated in the documentation in previous versions.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices