Endpoint Protection

Hello,

When creating limited admin accounts, I would like to give the admins ability to view the policies but not change them.  SEPM currently only allows me to check on “Manage Policies” and then check on “Do not allow editing of shared policies”.  However,  the effect of this is that when a limited admin does, try to view the policy, they get the option of creating a non-shared policy from copy on to that group.  We do not want this, as this can affect any computer in that folder.  How can we keep the settings so that an administrator can view the policy at the same time cannot create a non-shared policy? 

 

 

 

 

You need set the access to Read only for the "Manage Groups" setting. If it is set to Full Access they will be able to create non shared policies like they are already doing. The groups they can manage need to be Read-Only. So in your sscreenshot above click on "Group Rights" next to "Manage Groups" and set the groups to read-only for that admin

 

Configuring the access rights for a limited administrator

Article:HOWTO55037

|

Created: 2011-06-29

|

Updated: 2011-12-17

|

Article URL http://www.symantec.com/docs/HOWTO55037

 

Additional information about configuring the administrator rights:

http://www.symantec.com/docs/HOWTO55094

I want to give administrators access to groups so that they can move a client from one group to another, at the same time, I do not want them to have access to create any kind of policy. Is this possible?

No.

If you want them move PCs than they need full access to the group.

But, if you don't want them creating non shared policies, than they need Read-only access, which also will not allow them to move PCs.