Video Screencast Help

HOWTO: Enable Limited Administrator the right to Move Groups

Created: 24 Jan 2013 | 17 comments

Hello,

 

I am trying to delegate the task of moving hundreds of groups into several groups in SEPM (version 12 RU2)

So far, our Techs have been assigned Limited Administrator right, and they can access the groups they are supposed to move, but when they right-click, Move is greyed out, even though the group is not inheriting from any other group.

Here is a screenshot of the Limited Administrator policy

 

What other rights can I assign to these Limited Administrators so they can move one group into another, without giving them more rights than necessary?

Comments 17 CommentsJump to latest comment

_Brian's picture

That should do it. Just tested it exactly as you have setup and it works fine.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

RSASKA's picture

Brian, I tested it and it doesn't work. frown

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.

 

_Brian's picture

Are these groups using AD sync?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

RSASKA's picture

AD sync? No, these groups are created individually, directly in the SEPM. No AD sync.

As a Full Administrator, I can move the clients, but as Limited Administrator, our techs are unable to.

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.

 

_Brian's picture

Did you set the groups to Full Access? If Read-only or below, that would cause this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

consoleadmin's picture

Click on Group Rights under "Manage group" and change the permission of the groups as per your requirements. Then check with same id. Hope it can help you.

Thanks.

RSASKA's picture

The group has "Full Access". Here is a screenshot of what the Tech can do when he right-clicks a group

 

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.

 

_Brian's picture

Ahh I see now, I was confused. The access you setup is correct than.

What you need to do is break inheritance on the group. Than you will have the ability to move the group into another. Try that. Should work.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Could you try creating a new groups and then move all the clients to the new groups, would that help?

Moving a group, you may need the group to be empty (without clients.) and Move Option is for clients and not groups.

Check this Article:

Moving a group within the Symantec Endpoint Protection Manager (SEPM)

http://www.symantec.com/docs/TECH181092

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SebastianZ's picture

TECH181092  is at some point not true:

"Groups cannot be moved if there are SEP clients already reporting to them" - as I am checking it is possible.

... correct should be that groups cannot be moved if there are "no clients" reporting to them - just checked and cannot do it even on full admin.

For limited admins to move the groups those account will need access to the site (Site Rights) not only to manage groups.

_Brian's picture

I move groups all the time with clients in them. Just need to break inheritance on the group first before moving the group.

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

RSASKA's picture

 

I made sure the groups don't have inheritance AND I made sure the Limited Admins had site access but no luck

After some troubleshooting, I figured out that I have to allow the Limitied Admins permission to Manage Policies for them to be able to move groups ......

 

 

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.

 

_Brian's picture

Yep, because they can't uncheck inheritance otherwise if they don't have ability to manage policies.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

I though that option was already selected on your first screenshot...strange though on my test sepm it is working only with manage groups and site right - manage policies are disabled.

Mithun Sanghavi's picture

Hello,

I would suggest you to please create a Case with Symantec Technical Support Team.

How to create a new case in MySymantec

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_t...

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

RSASKA's picture

Sebastian, when I opened Manage Policies, only the LiveUpdate option was checked, others were clear.

But once I checked all policies, then the Limited Administrators are able to move groups.

 

Thanks guys!!!

The Enemy's greatest fear is that you'll discover who you really are, what you're really worth, and where you're headed.

 

SebastianZ's picture

Ok, will need to test it in my environment - as mentioned I managed to get the limited admins to move groups only by assignig the site rights and manage groups - not touching manage policies at all (maybe some of the right are overlapping here)...