Endpoint Protection

Hi,

For limited administrator account unable to login to SEPM console.

In older version 11.0.6 we are able to login with limited administrator without any issue.

We are getting username and password is incorrect.

Whereas if we create login with full administrator after that we can login to SEPM console.

 

what is the error message it gives?

did you try to reset the password using the admin account in SEPM console?

We are getting the error message username and password is incorrect.

We are using Active directory account to login .. No isssue with password or login account.

Probllem is with Access rights.. If we create with full admin rights able to login to SEPM console. when we create teh same account with limit access we have this issue

Hello,

What happens if you uncheck the Box for Directory Authentication (Edit the Limited Administrator > Under Authentication TAB)?

Hope that helps!!

is the ad synched with SEPM ?

I just want make clear ,  AD is synched with SEPM, the same ID when provide full admin access we are able to access the SEPM console..

As We mentioned earlier no problem with AD accounts..We are able to login with SEPM accounts .. Issue is only with limited admin accounts

Did you granted any access rights to those limited admin accounts in SEPM? If no please grant access to few groups and reporting. Then try to login with Limited admin account.

One of the differences between the System Administrator and Limited Administrator accounts, is the restriction of access to a single SEP Domain (accessible via the SEPM consoleand Admin -> Domains).

If you have multiple SEP Domains, can you confirm which one these Limited Administrator accounts are created for, and that your colleagues are fillilng out the "Domain" field appropriately when attempting to log on?

Then there's the more basic things to look out for like the username being case sensitive, or making sure they use the SEP Limited Administrator account name rather than their windows account name (not necessarily the same!)

Here is the scenario,

 

we have 4 domains including child domains.

1. Domain A-- a.abc.com(Parent Domain) remaining all re child domains

2. domain B--b.a.abc.com

3.Domain C-- c.a.abc.com

4. Domain D--d.a.abc.com

 SEPM server is added to Domain A.

we have included directory servers in SEPM console under directory servers tab(Admin-> servers->SEPM server- properties -> directory servers)

Now we have few full admin accounts (Both Domain A and Domain B user  accounts.)

We have no  issues for FUll admin accounts.

Now We are try to create a new login in SEPM console for Domain D user by using his domain Nt login, which we have provide limited Admin rights, and  privided access for all limited administator access rights. but user not able to login to SEPM console.(For the same ID if we provide Full access he can able to login to the SEPM console.)

Hope this helps for clarification.....!!!

I'm actually after confirmation on if you use SEP domains.  If you log into the SEPM console as a System Administrator account, and go to Admin -> Domains, do you see anything listed other than "Default"?

If so, can you confirm if these limited administrator accounts are trying to log into the same SEP domain in which they were created please?

Bit more info on SEP domains can be found here:

http://www.symantec.com/docs/HOWTO55042

We have only One SEPM server for all the domains..  If we  create seperate domains in SEPM is there any database change ?

My question is why full administrator can login to SEPm console why not limited administrators?

In domains tab we able to see default and domain D

The reason behind my questions was because Limited Administrators are restricted to the SEP Domain in which they were created.  Therefore if the Limited Administrator account was created and assigned to 'SEP Domain A' they could not then log into the SEPM Console on the Default SEP Domain.  The article below might give you a better idea of what I mean:

http://www.symantec.com/docs/TECH93758

As you only have the one default SEP Domain however...

Can you give us an idea of what permissions are assigned these Limited Admin accounts, and what the error message is you're seeing?

Perhaps even try creating two accounts within SEP linked to the same AD account for testing purposes?

I Just Confused on this "Limited Administrators are restricted to the SEP Domain in which they were created.  Therefore if the Limited Administrator account was created and assigned to 'SEP Domain A' they could not then log into the SEPM Console on the Default SEP Domain """"'''....     """

As per the article We have mention domain name correctly which we have mention under directory services Tab.

For limited admins we have provided to view Reports and ful rights to  manage Groups.

We can't create same AD account tiwce in SEPM console. We are getting the error message as " Admin account is already created in SEPM console."

 

PFA error message which we are getting while logging to SEPM console by using limited administrator account

...so you have two domains within SEP, correct?  The 'Default' domain and the 'Domain D' domain are both listed under Admin -> Domains within the SEPM Console right?

While in this section of the console, can you click through both the 'Default' and the 'Domain D' entries and confirm which one say '(Current Domain)' beside it?

If it is 'Domain D' which is the current domain (as I suspect it is) then when you're are creating the Limited Administrator account, you are creating it for 'Domain D'.  What this means is that when you are trying to log in as this Limited Administrator account, you must make sure you fill in the "Domain" field in the logon screen (made available by clicking the "Options >>" button).

As the earlier article states, the SEP Domains are case sensitive so make sure it is written exactly as it appears from within the SEPM Console -> Admin -> Domains.

The reason it worls fine when you create the account as a System Administrator, is because these top-level accounts have access to all SEP Domains, not just the one in which they were created.

Please find my comments below

so you have two domains within SEP, correct?  The 'Default' domain and the 'Domain D' domain are both listed under Admin -> Domains within the SEPM Console right?

YES

While in this section of the console, can you click through both the 'Default' and the 'Domain D' entries and confirm which one say '(Current Domain)' beside it?

Default domain is current domain.. When we click the domain D we have an option like administer domain option is enable.. Whereas when we click default domain this option is not available.

If it is 'Domain D' which is the current domain (as I suspect it is) then when you're are creating the Limited Administrator account, you are creating it for 'Domain D'.  What this means is that when you are trying to log in as this Limited Administrator account, you must make sure you fill in the "Domain" field in the logon screen (made available by clicking the "Options >>" button).

In this scenario, we are creating Domain D user account for SEPM login as AD authentication. Even when we fill domain name correctly as per the list under domain tab.

As the earlier article states, the SEP Domains are case sensitive so make sure it is written exactly as it appears from within the SEPM Console -> Admin -> Domains.

Entering correctly.

When creating this Limited Administrator account, you need to first switch to the 'Domain D' domain if that's the SEP Domain the account is going to manage.

This just means you need to make sure you highlight 'Domain D' and click "Administrator Domain", making it the Current Domain, before you create the new Limited Administrator account.

So what happen after creating teh limited administrator for Domain D, user can able to see the all the group in the SEPM console as we see in default domain?

did we need to change the domain back to default domain after creating the admin account?

Note: We have only one SEPM database.

As per your above mention method, User can able to login to SEPM console by using Domain D AD user account , but user not able to see the SEPM default domain client groups.

This is by design.  The Administrator and Limited Administrator SEP account types (as per the article I linked before) can only see the clients, etc for a single SEP Domain.  So a Limited Administrator created within the 'Default' SEP domain cannot log into, nor view, the 'Domain D' domain and vice versa.

Only a System Administrator level SEP account can switch between SEP Domains.  The Administrator and Limited Administrator level accounts are locked into the domain under which they are created (they don't even have the "Domains" option under "Admin").

Hi,

You have reset.bat file available in tools folder.

programfiles\symantec\symantec endpoint protection manager\tools

Previous when we are using the 11.0.6300 SEPM we are able to login SEPM console by using both Domain B and Domain D user accounts.

And we are able to view all the groups under the default domain. After upgrading to 12.1 RU1 we are facing this problem.

 

Hi Sonday,

 

what happen If we run the reset.bat file?

...you're not confusing SEP domain and Windows domains.  AFAIK SEP Domains ahev always been compeletely separate, and only SEP System Administrator level accounts can administer more than one SEP Domain (and even then only one at a time).

Windows domains however are different.  As long as you have the connectivity and credentials to set them up as Directory Servers, you can link Windows accounts from any configured Windows Domain to SEP accounts in any SEP domain you want.

Remember that SEP Domains and Windows Domains are not linked in any way (possibly a poor choice of words on Symantec's side there).

Getting back to the matter at hand, for the Limited Administrator accounts you create while the 'Default' SEP domain is selected, you can leave the "Domain" field on the SEPM Logon screen blank.  The username will be whatever is configured within SEP, the password will be the user's linked Windows password.

Thanks for the detail Explanation. As per the below update by you SEP domain is selected, you can leave the Domain; field on the SEPM Logon screen blank.  The username will be whatever is configured within SEP, the password will be the users linked Windows password. We are creating limited administrator SEPM login based on the domain D (AD server) user accoount. While loging to the SEPM console, we are getting error message "username or password or incorrect". If we provided the full access to the user account user able to login to SEPM console. Once agian sorry for confusion made by us on AD domain and SEPM domain.

The below steps assume the Limited Administrator is going to manage clients in the 'Default' SEP Domain

1. Log into SEPM as a SEP System Administrator level account
2. Goto Admin -> Domains
3. Select 'Default' domain and make sure it is the current domain (click the 'Administer Domain' link if it is not)
4. Goto Admin -> Administrators
5. Click 'Add Administrator'
6. Fill in the username for this account all in lowercase
7. Enter email address as appropriate
8. Choose account type as Limited Administrator and assign permissions as required
9. Choose Authentication method as Directory Authentication
10. Choose the Directory server as appropriate
11. Enter username for the windows account (just the username, not domain\username)
12. Click the 'Test' button to ensure it works
13. Click OK and enter the password as requested
14. Logoff the SEPM Console
15. Now enter the SEP username from step 6 (all lowercase remember)
16. Enter the password for the Windows account linked to this SEP account
17. Leave the Domain field blank (so that the SEPM Console will attempt to look for a SEP account in the 'Default' SEP Domain)
18. Hit 'Log on'

That should be it.

On a side note, I've seen issues crop up with some special characters in passwords, perhaps check with a test windows account that has a simpler password as well?

Oh yeah, please mark a 'thumbs up' any posts that you've found helpful and stuff 

Thanks for the details steps.. we have tried those before posting this thread..

Atlast we find solution for this.. W ehave deleted the Domain D from the Domain Tab in SEPM .

After that Any domain AD account  user can login to the SEPM console.

Once again thanks for all..

Hmmmm, I've not heard of an additional SEP domain causing issues when logging into the Default domain before.  I'm gonna take note of that...