Service Account has been removed from the Symantec Administrators group denying access


Article ID: 156959


Updated On:


Management Platform (Formerly known as Notification Server)


The SMP Service Account / Application Identity was accidently removed from the Symantec Administrators group, thus denying access to various parts of the console.

Access Denied
You currently do not have sufficient network access rights to the Notification Server console.
Please contact your local area network administrator for further assistance.


The SMP  Service Account / Application Identity had been accidently deleted from the Symantec Administrators group


NOTE:  The following solution will only work if the "NT Authority\System" account is still a member of the Symantec Administrators group. You can confirm this by running the following SQL  Query:


exec spGetDelayLoadRoleMembers @RoleGuid='2E1F478A-4986-4223-9D1E-B5920A63AB41',@TrusteeList=N'{2E1F478A-4986-4223-9D1E-B5920A63AB41}'


1) Download PSExec (
2) Open CMD as an Administrator and then execute the following command:

PsExec.exe /s /i "C:\Program Files (x86)\Internet Explorer\iexplore.exe"

This will launch Internet Explorer as the NT Authority/System account.

3) Navigate to the Altiris Console (http://localhost/altiris/console/) and then to the security role manager and re-add the Service Account to the Symantec Administrator group.