HOWTO: Enable Limited Administrator the right to Move Groups
Created: 24 Jan 2013 | 17 comments
Hello,
I am trying to delegate the task of moving hundreds of groups into several groups in SEPM (version 12 RU2)
So far, our Techs have been assigned Limited Administrator right, and they can access the groups they are supposed to move, but when they right-click, Move is greyed out, even though the group is not inheriting from any other group.
Here is a screenshot of the Limited Administrator policy
What other rights can I assign to these Limited Administrators so they can move one group into another, without giving them more rights than necessary?
Discussion Filed Under:
Comments 17 Comments • Jump to latest comment
That should do it. Just tested it exactly as you have setup and it works fine.
SEP Knowledge Base
Endpoint SWAT
Brian, I tested it and it doesn't work.
Marriage Made in Heaven
If God is for us, who can be against us? --- Romans 8:31
Are these groups using AD sync?
SEP Knowledge Base
Endpoint SWAT
AD sync? No, these groups are created individually, directly in the SEPM. No AD sync.
As a Full Administrator, I can move the clients, but as Limited Administrator, our techs are unable to.
Marriage Made in Heaven
If God is for us, who can be against us? --- Romans 8:31
Did you set the groups to Full Access? If Read-only or below, that would cause this.
SEP Knowledge Base
Endpoint SWAT
Click on Group Rights under "Manage group" and change the permission of the groups as per your requirements. Then check with same id. Hope it can help you.
Thanks.
The group has "Full Access". Here is a screenshot of what the Tech can do when he right-clicks a group
Marriage Made in Heaven
If God is for us, who can be against us? --- Romans 8:31
Ahh I see now, I was confused. The access you setup is correct than.
What you need to do is break inheritance on the group. Than you will have the ability to move the group into another. Try that. Should work.
SEP Knowledge Base
Endpoint SWAT
Hello,
Could you try creating a new groups and then move all the clients to the new groups, would that help?
Moving a group, you may need the group to be empty (without clients.) and Move Option is for clients and not groups.
Check this Article:
Moving a group within the Symantec Endpoint Protection Manager (SEPM)
http://www.symantec.com/docs/TECH181092
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
TECH181092 is at some point not true:
"Groups cannot be moved if there are SEP clients already reporting to them" - as I am checking it is possible.
... correct should be that groups cannot be moved if there are "no clients" reporting to them - just checked and cannot do it even on full admin.
For limited admins to move the groups those account will need access to the site (Site Rights) not only to manage groups.
I move groups all the time with clients in them. Just need to break inheritance on the group first before moving the group.
SEP Knowledge Base
Endpoint SWAT
I made sure the groups don't have inheritance AND I made sure the Limited Admins had site access but no luck
After some troubleshooting, I figured out that I have to allow the Limitied Admins permission to Manage Policies for them to be able to move groups ......
Marriage Made in Heaven
If God is for us, who can be against us? --- Romans 8:31
Yep, because they can't uncheck inheritance otherwise if they don't have ability to manage policies.
SEP Knowledge Base
Endpoint SWAT
I though that option was already selected on your first screenshot...strange though on my test sepm it is working only with manage groups and site right - manage policies are disabled.
Hello,
I would suggest you to please create a Case with Symantec Technical Support Team.
How to create a new case in MySymantec
http://www.symantec.com/business/support/index?page=content&id=TECH58873
Phone numbers to contact Tech Support:-
Regional Support Telephone Numbers:
Additional contact numbers: http://www.symantec.com/business/support/contact_t...
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Sebastian, when I opened Manage Policies, only the LiveUpdate option was checked, others were clear.
But once I checked all policies, then the Limited Administrators are able to move groups.
Thanks guys!!!
Marriage Made in Heaven
If God is for us, who can be against us? --- Romans 8:31
Ok, will need to test it in my environment - as mentioned I managed to get the limited admins to move groups only by assignig the site rights and manage groups - not touching manage policies at all (maybe some of the right are overlapping here)...
Would you like to reply?
Login or Register to post your comment.