Endpoint Protection

Hello,

 

I am trying to delegate the task of moving hundreds of groups into several groups in SEPM (version 12 RU2)

So far, our Techs have been assigned Limited Administrator right, and they can access the groups they are supposed to move, but when they right-click, Move is greyed out, even though the group is not inheriting from any other group.

Here is a screenshot of the Limited Administrator policy

 

What other rights can I assign to these Limited Administrators so they can move one group into another, without giving them more rights than necessary?

That should do it. Just tested it exactly as you have setup and it works fine.

Brian, I tested it and it doesn't work.

Are these groups using AD sync?

AD sync? No, these groups are created individually, directly in the SEPM. No AD sync.

As a Full Administrator, I can move the clients, but as Limited Administrator, our techs are unable to.

Click on Group Rights under "Manage group" and change the permission of the groups as per your requirements. Then check with same id. Hope it can help you.

Did you set the groups to Full Access? If Read-only or below, that would cause this.

The group has "Full Access". Here is a screenshot of what the Tech can do when he right-clicks a group

 

Ahh I see now, I was confused. The access you setup is correct than.

What you need to do is break inheritance on the group. Than you will have the ability to move the group into another. Try that. Should work.

Hello,

Could you try creating a new groups and then move all the clients to the new groups, would that help?

Moving a group, you may need the group to be empty (without clients.) and Move Option is for clients and not groups.

Check this Article:

Moving a group within the Symantec Endpoint Protection Manager (SEPM)

http://www.symantec.com/docs/TECH181092

Hope that helps!!

TECH181092  is at some point not true:

"Groups cannot be moved if there are SEP clients already reporting to them" - as I am checking it is possible.

... correct should be that groups cannot be moved if there are "no clients" reporting to them - just checked and cannot do it even on full admin.

For limited admins to move the groups those account will need access to the site (Site Rights) not only to manage groups.

I move groups all the time with clients in them. Just need to break inheritance on the group first before moving the group.

 

 

I made sure the groups don't have inheritance AND I made sure the Limited Admins had site access but no luck

After some troubleshooting, I figured out that I have to allow the Limitied Admins permission to Manage Policies for them to be able to move groups ......

 

 

I though that option was already selected on your first screenshot...strange though on my test sepm it is working only with manage groups and site right - manage policies are disabled.

Yep, because they can't uncheck inheritance otherwise if they don't have ability to manage policies.

Hello,

I would suggest you to please create a Case with Symantec Technical Support Team.

How to create a new case in MySymantec

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

• United States: https://support.broadcom.com (407-357-7600 from outside the United States)
• Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
• United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_t...

Sebastian, when I opened Manage Policies, only the LiveUpdate option was checked, others were clear.

But once I checked all policies, then the Limited Administrators are able to move groups.

 

Thanks guys!!!

Ok, will need to test it in my environment - as mentioned I managed to get the limited admins to move groups only by assignig the site rights and manage groups - not touching manage policies at all (maybe some of the right are overlapping here)...