Issues with Users/Admins being able to disable features on SEP 12.1 client
So we have needs for our remote computer administration staff to be able to troubleshoot problems possibly related to Symantec. (conflicts, firewall rules, detections etc)
I have architected a solution to this by creating a group that gives the workstations in it client control with no settings "locked" with any padlocks.
When my workstations are put into this group (with myself logged in), I am able to right click on the "Shield" and go to "Disable Symantec Endpoint Protection".
When other admins attempt to do this, the option is greyed out.
It seems like this may be related to a permissions issue, because when I look under troubleshooting>windows account, I am listed as having far more privileges than the other admins, even though they are in the "computer administrators" group by AD group membership.
The question is, what permission is necessary to allow these admins to right click disable? Why does the product require this?
Comments
anyone have insight on this?
anyone have insight on this?
If all machines are in the
If all machines are in the same group in the SEPM and the only difference is the admins' logins, it definitely sounds like Windows permissions to me. Perhaps the other administrators are a part of another group that has more restrictive rights or explicits denials.
I understand that Domain Admins do not have local admin rights by default, as a security enhancement in Windows 2008. Could that be a factor?
sandra
Symantec Endpoint & Mobility Group / Information Development
Don't forget to mark your thread as 'solved' with the answer that best helped you!
Since it does appear to be a
Since it does appear to be a Windows permissions issue I suggest running gpresult -z against each user account and comparing what actually gets applied.
I guess my question is, what
I guess my question is, what sort of permissions does Symantec require, and why isn't this documented?
If the machine is in Client mode and the policies are unlocked, why does it matter what windows permissions the user has?
User having the issue is a local admin on the machine, however. They are in a security group that has been given local admin rights on the machine.
Only Windows administrators
Only Windows administrators can disable these protection technologies from the client, and only if the technology has not been locked down in SEPM by the admin.
Would you like to reply?
Login or Register to post your comment.