A managed Symantec Endpoint Protection (SEP) client will not change group or domain membership in SEP Manager (SEPM )after some operations, such as importing new communications settings (SyLink.xml) or re-installing or upgrading the client with a new package exported from the SEPM.

NOTE: "domain" in this article refers to a SEPM domain, not Active Directory.

If the SEP client is already registered with the SEPM then this behavior is by design and is meant to prevent unauthorized changes. Uninstalling a SEP client will also leave behind a Hardware ID that will be re-used in a new managed installation to re-establish any existing registration with the SEPM.

The client will move and join the appropriate group and domain, if the imported SyLink.xml points to a different SEPM (with which the client  is not already registered).

To otherwise change the group or domain membership of an existing managed SEP client, use one of the following methods

Moving a client computer to another group

** How to prepare a SEP client for cloning describes how the Hardware ID files may be deleted from the client so that it will re-generate a new unique ID. Given a new SyLink.xml file, the client should then register with the correct group and domain. NOTE: SEP Linux and Macintosh clients use a simple hash of the MAC address and system disk identifier; the Hardware ID for these clients will not change given the same hardware. Macintosh and Linux clients will require deletion of any corresponding client entries from the SEPM before a new SyLink.xml will change group or domain settings.