Endpoint Protection

 View Only
  • 1.  Delegation of rights in SEPM

    Posted Apr 22, 2010 08:40 AM
    Hi all

    How are you guys running your setup in regards to allowing service desk or others administrators access to the console.

    My case is that we have around 60 persons in service desk (3 locations) and around 80 locations with local admins.

    The service desk would like to have the ability to do the remote scan and poll some logs on all user clients and the locals admins shall have the access to move clients to exclusions group and perform other task on there own client(they are placed in a separate OU, there are one for every country)
    I would like to have a account for all of them(assigned with there AD account), but there will be a lot of work and a good chance that I will assign something wrong. My groups are for the most part imported from our AD, so it's almost impossible to set the read/noaccess/fullaccess flag on all those groups and then furthermore have to do it on so many users.

    My others though was to just make one account for our helpdesk and then look away regarding the audit :-(( :-)) But with the admins, I still would like that they had a personal account because of the extended rights to move a client around.

    This could be solved if it was possible to move a client to another group from a SEP client, so they didn't needed to have access to the console. Like with the grc.dat file, here could you just take one that matched the group you wanted to join and drop it on the client.. Haven't found a way to do this on SEPM yet - anyone have a idea? :-)

    Could really like some ínput in how to come by this as easy as possible:.))




  • 2.  RE: Delegation of rights in SEPM

    Posted Apr 22, 2010 08:44 AM
    Okay i got what you are trying to do :) ;  if you have integrated your AD; there wont be any MOVE option between the OUs even if you are full admin;

    if you want to move clients like the GRC you can follow this doc; every group will have one ID follow this; they should be able to move between groups.

    http://service1.symantec.com/support/ent-security.nsf/docid/2007082009543848

    http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/13669c4f8319b89e882574e5004e7328?OpenDocument


  • 3.  RE: Delegation of rights in SEPM

    Posted Apr 22, 2010 08:56 AM
    Yes I know that there is no move, only a copy function in the AD group.

    But I would like that I could go to my "client", do something on this client, and then it would move from the AD imported group to for example, My Computer -> Notes.
    Without using the console.!!!!!!!!!!!!!! or have access to the SEPM server.

    If I have two groups in SAV, eg. Clients and Servers and if I by mistake installed a SERVER with the client grc.dat so the SERVER was placed under clients, the I could put the grc.dat file for servers on the SERVER and see it move to the server groups after a couple of minutes.

    If this was possible, then I could limited the local country admins access in the SEPM to only included scanning of clients.


  • 4.  RE: Delegation of rights in SEPM

    Posted Apr 22, 2010 08:59 AM
    Okay :) in that case you can use the two links to put the clients in the groups ( earlier grc is now SYlink.xml) so replace it on the client all is well.

    Find the correct sylink as per the group and replace it on the clients



    http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/13669c4f8319b89e882574e5004e7328?OpenDocument



  • 5.  RE: Delegation of rights in SEPM

    Posted Apr 22, 2010 09:04 AM

    Yes, this works if I'm not using AD.

    If I install a client which are not imported from AD, then it is default placed in My Company -> default
    And here will this work, get a sylink file from eg. My company -> whatever and run this on the client. Now the client will move to whatever..

    But if the client are placed in My Company -> AD importation -> Clients (because I have imported the AD OU)
    Then the options with sylink doesn't work.

    It will not move from that spot, only if I go to the SEPM console and do a copy of the client.



  • 6.  RE: Delegation of rights in SEPM

    Posted Apr 22, 2010 09:14 AM
    it will work ;
    open sepm
    select the OU ( for which you have replaced sylink)
    right click and click SYNC
    this should put the client.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009090119133848