Unable to restrict the Symantec Endpoint Encryption Help Desk Snap-In through Group Policy

book

Article ID: 155941

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

The procedure to restrict the SEE Help Desk snap-in doesn't seem to take effect.

No errors - the restricting Help Desk Snap-in is still accessible to restricted groups/users.

Cause

The EAFramework.adm file (that is used to expose SEE Framework related settings in Group Policy) still has the older GUID for the older OTP snap-in and hence is not really restricting the new Help Desk snap-in.

Resolution

1. Open up the policy in question using Group Policy Object Editor.
2. Right-click 'Administrative Templates' under 'Computer Configuration' and choose 'Add/Remove Templates'.
3. Select EA Framework from the list and click 'Remove' and then click on 'Close' to complete.
4. Close Group Policy Object Editor.
5. Open up the EAFramework.adm file (\Program Files\Symantec\Symantec Endpoint Encryption Manager\Framework\ADM) using a text editor.
6. Search for and replace the following string:

        KEYNAME "Software\Policies\Microsoft\MMC\{F13907B4-D0D6-4e52-8B3B-8DDB3D6B33B2}"
  
    with this string:


 

        KEYNAME "Software\Policies\Microsoft\MMC\FX:{c4b5b909-e475-4419-ad37-639c0c2aba96}"


 

7. Save changes and close file.
8. Open up the policy again in Group Policy Object Editor.
9. Right-click 'Administrative Templates' under 'Computer Configuration' and choose 'Add/Remove Templates'.
10. Click the 'Add...' button, then browse to find the EAFramework.adm file (\Program Files\Symantec\Symantec Endpoint Encryption Manager\Framework\ADM) and click on 'Close' to save changes.
11. The Group Policy is now 'fixed' and will allow you to permit/deny access to the Help Desk / One Time Password snap-in.


Applies To

SEE versions that have the new Help Desk snap-ins (instead of the older OTP snap-in).