The Delete and Move clients option is greyed out in the Endpoint Protection Manager (SEPM).

Active Directory OU's are sync'd with the SEPM and these clients are in those groups.

This functionality is not available for clients synchronized with Active Directory as they are managed by Active Directory not the SEPM. The changes must be made within Active Directory itself.

Delete, Move, or otherwise edit the clients in Active Directory, then re-sync the OU that the client(s) belong to in the SEPM.

How to re-sync an OU in the SEPM:

1. Log into the SEPM console
2. Click on the Clients tab
3. Right-click the desired OU
4. Click Sync Now

Note: Do not synchronize the Active Directory groups with more than one SEPM.

There is the option to "Copy" an AD sync'd client to a non-AD sync'd group if you need to set custom policies for some clients without moving them within Active Directory.

Managed Symantec Endpoint Protection (SEP) Client appears in Default Group instead of Active Directory Organizational Unit (OU) in the Symantec Endpoint Protection Manager (SEPM)