Video Screencast Help

How to move client group1 to group2 after replacing sylink.xml from group2?

Created: 26 May 2011 | 10 comments

After expoted the sylink.xml of group2 and replaced to client from group1, my client still in group1.

How can i move my client from group1 list to group2 list w/o moving manually from SEPM?.

any idea?..

Comments 10 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

If the correct Sylink is replaced if should move to correct group.

However if there is AD integration with SEPM you cannot move clients.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

Mithun Sanghavi's picture


Could you let us know:

1) Is there a Replication set on the SEPM?

2) Is there are AD Integration Set on the SEPM?

3) Are you manually replacing the Sylink OR Using Tools like SylinkReplacer or SylinkDrop to Replace Sylink?

Try Moving Clients using these Steps:


Work on the Steps provided in the Articles below:

1) SylinkDrop or SylinkReplacer fails to assign Symantec Endpoint Protection clients to a new Client Group
2) Symantec Endpoint Protection Client reverts to old group after being moved to new group with SylinkDrop

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Beppe's picture


moving clients from one group to another one is much easier through the SEPM console, I suggest you to reconsider this option otherwise you might spend more time on learning other techniques rather then going ahead with the easiest one.




Beppe's picture

To be more precise, the client does not take any decision about the group where it registers to.

At installation time, the sylink.xml contains a preferred group (not compulsory group), the SEPM then checks if the new client is not already pre-registered in the DB, if yes, the pre-registration has the priority.

The same in your case, if clients are already registered in group1 and you say to clients "go to group2", the SEPM will ignore their request, they already exist in the DB.

Why? The product is designed to be managed remotely i.e. to move clients through the console, not locally on the clients for obvious administrative convenience. To accomplish this design the product cannot work in another way because, look:

- SEP client X has group1 set as preferred and it is registered there

- in normal situation an administrator would like to move X from group1 to group2 easily from the console

- he then move it, it means that, into the DB, X now is assigned to group2

- client X communicates with SEPM with its preferred group but SEPM has to ignore it to keep it in group2 as requested by an admin, in other words, the product has to accomplish to more authoritative requests

So, since it is expected that what is in the DB is always handled by an admin which has access to the console, it must have higher priority than client-side actions.

Of course, these kind of logic also increase the reliability of the product (i.e. no easy tampering).

That's why it is not easy to move clients from a group to another without access to the console or permissions to do it.




AravindKM's picture

The best and easy way for moving client from one group to another is manually moving the client is in SEPM. If you are not able to do it because of some reason at times you may have to replace both sylink.xml and serdef.dat of new group.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Mohd. Arshad's picture

Sylink.xml is just a guide for the client to communicate to the manager.

Merely changing the Sylink.xml will not change the group.

B'coz the client cannot decide which group it must sit into. It is the manager which decides.

If the manager has the client in Group 1, even if the client is updated with the Sylink.xml of Group 2 it will sit only in Group 1 b'coz, the manager will update the client with the Sylink of group 1 when the client reaches the manager. (i.e) When the client reaches the Manager with the "Sylink of Group 2" the manager will change it to the "Sylink of Group 1".

If you want it to automatically go to the Group 2 then the client must be deleted from Group 1 in the manager. This leaves the manger with no information on the client, thus it checks the signature on the Sylink and accepts the group avaliable on the Sylink.

Hope this explains it.

(Please update the status)


Mohamed Arshad Akbar

22Aug's picture

by any chance had you selected the reconnection preference so that client still reports to client group 1.

mrbuguz®'s picture

To all,

I mean is if I replaced the sylink of client, the client automatically moved to group where the sylink came from.? because after i replace the sylink from other group of the client, still the client remain on the group where the client belong. anyway's to removed the client automatically after replacing sylink?.


AravindKM's picture

The communication information in client end not only sored in sylink. As far as I know it will be stored in registry,sylik file and in serdef.dat. (It may be stored in some other places also.). Do you tried by replacing serdef.dat also along with sylink.xml? .Have a look at this KB also

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind