United Kingdom Endpoint Management User Group

We have upgraded from CMS v7.5 HF6 to SP1 this morning and since then I've noticed a couple of perculiarities:

1. Since upgrading, when I first log on to the console from my desktop machine, I now get prompted by UAC telling me that [1]AltirisNSConsole.cab[1] wants to make changes to my computer.  This wasn't happening previously.  I have turned UAC off but wanted to know if that was normal?

2. More worryingly, since the upgrade to SP1 when I try to drag a computer from the "All Computers" group to one of our existing organizational groups I get an error:

My account is a member of the Symantec Administrators group and again this error did not occur previously.  If I right click on a computer and use the "Add to Organizational Group" method - that works fine with no error, so it's seems the problem is related purely with dragging and dropping.

Any ideas?

**Edit**

Further testing has revealed that it seems to only affect Organization Groups with >2 level sub-groups.  Dragging to top level or level 1 seems fine.

E.g. dragging to Org Group 1 > Level 1  - works fine

dragging to Org Group 1 > Level 1 > Level 2 - I get the above error...

The UAC / CAB install prompt is normal but should only happen the first time you access the 7.5 SP1 console from a particular computer.  The same would have happened the first time you accessed the 7.5 console but the client side components were updated with the SP1 upgrade.

I can't speak to the Org drag / drop.  My upgrade to SP1 is this weekend.  Adding it to my test plan.

The UAC prompt is happening every time I log into the console.  Even after clearing cookies and restarting browser.  IE11 on Win8 Enterprise 64-bit.

Fixed the UAC issue.  I had to lower the IE security settings for Trusted Sites in IE from the default of medium down to medium-low.  It prompted again the first time after the change, but hasn't asked since.  Perhaps it thinks the ActiveX control is unsafe or untrusted in some way?

If you're using SMP Console via SSL, do you have there disabled "Do not save..." in I.E?

Looks like if you've upgraded Console.cab and it seems like that it asks to reboot a PC...

(Please check this link about similar case https://www-secure.symantec.com/connect/blogs/itms-75-sp1-available-now

Thanks,

IP.

Before you made the change, were you using compatibility mode?  From what I read, IE10 / 11 are only supported when in compatibility mode.

About "AltirisNSConsole.cab":

• http://www.symantec.com/docs/TECH210490

About "Not enough permissions":

• Did you see a warning message about not enough permissions in Altiris Log Viewer? There should be shown a GUID of Item, where you don't have permissions. You can then via mouse right click menu on Org Group check what security settings are there and what permissions has account from "Security Role Manager".

Maybe you can try to remove your account from "Symantec Administrators" role and add it back.

Thanks,

IP.

OK - I've come in this morning and reset my Trusted Sites back to default (medium) and the console is still no longer prompting me for UAC, so whatever things I have tried here (or the overnight reboot) seems to have solved that.

The drag permissions problem was still evident this morning, so I checked the Altiris logs and sure enough a Restriction check (informational) entry was there for each time the above permissions error has been displayed:

Restrictions check for item 2147b7df-fbe1-4c00-a809-6988b585cd3a failed due to missing permission ac296df1-eb40-4592-899f-25d5c07d45f6
-----------------------------------------------------------------------------------------------------
Date: 27/06/2014 10:14:57, Tick Count: 74437781 (20:40:37.7810000), Host Name: (removed), Size: 393 B
Process: w3wp (1208), Thread ID: 322, Module: w3wp.exe
Priority: 4, Source: Altiris.NS.Services.CoreServices.Wrappers.EventLogWrapper.ReportInfo
File: C:\ProgramData\Symantec\SMP\Logs\a.log

I checked the permissions for Symantec Administrators on one of those groups and they were all UNTICKED!

I also created another new account with the Symantec Administrators role and the problem was the same for that account also.

So I tried to create a new Org group in the same level as the groups causing the problem.  Dragging computers to that group worked fine.  BUT HERE IS THE STRANGE THING - since doing that, dragging to the groups that were previously giving problems also now works fine!  This is confirmed by checking the permissions for Symantec Administrators on the previously problematic groups again, and they now appear with everything ticked (as expected).

So something strange has gone on where perhaps permissions have not been copied/updated after the SP1 upgrade and creating a new group has somehow instigated a permissions refresh on the whole group which has fixed the problem.

Glad the problems now seem fixed and hopefully this information will be useful to someone....

OK - I've come in this morning and reset my Trusted Sites back to default (medium) and the console is still no longer prompting me for UAC, so whatever things I have tried here (or the overnight reboot) seems to have solved that.

The drag permissions problem was still evident this morning, so I checked the Altiris logs and sure enough a Restriction check (informational) entry was there for each time the above permissions error has been displayed:

Restrictions check for item 2147b7df-fbe1-4c00-a809-6988b585cd3a failed due to missing permission ac296df1-eb40-4592-899f-25d5c07d45f6
-----------------------------------------------------------------------------------------------------
Date: 27/06/2014 10:14:57, Tick Count: 74437781 (20:40:37.7810000), Host Name: (removed), Size: 393 B
Process: w3wp (1208), Thread ID: 322, Module: w3wp.exe
Priority: 4, Source: Altiris.NS.Services.CoreServices.Wrappers.EventLogWrapper.ReportInfo
File: C:\ProgramData\Symantec\SMP\Logs\a.log

I checked the permissions for Symantec Administrators on one of those groups and they were all UNTICKED!

I then tried to create a new account with the Symantec Administrators role and had the same problem with that account also - could not drag computers to certain groups.

So I tried to create a new Org group in the same level as the groups causing the problem. Dragging computers to that group worked fine. BUT HERE IS THE STRANGE THING - since doing that, dragging to the groups that were previously giving problems also now works fine! This is confirmed by checking the permissions for Symantec Administrators on the previously problematic groups again, and they now appear with everything ticked (as expected).

So something strange has gone on where perhaps permissions have not been copied/updated after the SP1 upgrade and creating a new group has somehow instigated a permissions refresh on the whole group which has fixed the problem.

Glad the problems now seem fixed and hopefully this information will be useful to someone....

I posted a lengthy comment with important updates on this issue this morning but it disappeared - said it needed to be moderated :(

*Edit - thanks Igor - comment now (re)posted below

**Update**  The organisational group permissions are not working again so I'm going to speak to support.  I'll update this post with any outcomes.

Try to check audit history of this Org group, maybe there you will see date of modification and by whom.

Mouse right click on appropriate Org group -> properties -> audit tab.

One more thing we have noticed is that when we try to schedule a task, and click "add"..."computer or devices", when we look inside the organizational groups in the following window, they are all empty apart from the top level group called "Organizational views".  All of the other Organzational Groups appear empty - even tho computers are contained within them.  This means we can't easily schedule for a group of computers.

If I create a new brand new Organizational View with organzational groups within it, they appear to work fine.  I can drag and drop to and from them and computers within them show normally in the schedule task window.  So the problem does seem to be related to the permissions with our existing organzational views and groups somehow getting corrupted.

Security audit trail shows very little and some of the affected groups have no entries in the audit at all...