Service Account has been removed from the Symantec Administrators group denying access

book

Article ID: 156959

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

The SMP Service Account / Application Identity was accidently removed from the Symantec Administrators group, thus denying access to various parts of the console.

Access Denied
You currently do not have sufficient network access rights to the Notification Server console.
Please contact your local area network administrator for further assistance.

Cause

The SMP  Service Account / Application Identity had been accidently deleted from the Symantec Administrators group

Resolution

NOTE:  The following solution will only work if the "NT Authority\System" account is still a member of the Symantec Administrators group. You can confirm this by running the following SQL  Query:

 

exec spGetDelayLoadRoleMembers @RoleGuid='2E1F478A-4986-4223-9D1E-B5920A63AB41',@TrusteeList=N'{2E1F478A-4986-4223-9D1E-B5920A63AB41}'

 

1) Download PSExec (http://technet.microsoft.com/en-us/sysinternals/bb897553)
2) Open CMD as an Administrator and then execute the following command:

PsExec.exe /s /i "C:\Program Files (x86)\Internet Explorer\iexplore.exe"

This will launch Internet Explorer as the NT Authority/System account.

3) Navigate to the Altiris Console (http://localhost/altiris/console/) and then to the security role manager and re-add the Service Account to the Symantec Administrator group.