A managed Symantec Endpoint Protection (SEP) client will not change group or domain membership in SEP Manager (SEPM )after some operations, such as importing new communications settings (SyLink.xml) or re-installing or upgrading the client with a new package exported from the SEPM.

NOTE: "domain" in this article refers to a SEPM domain, not Active Directory.

If the SEP client is already registered with the SEPM then this behavior is by design and is meant to prevent unauthorized changes. Uninstalling a SEP client will also leave behind a Hardware ID that will be re-used in a new managed installation to re-establish any existing registration with the SEPM.

The client will move and join the appropriate group and domain, if the imported SyLink.xml points to a different SEPM (with which the client  is not already registered).

To otherwise change the group or domain membership of an existing managed SEP client, use one of the following methods:

• Use the move operation in the SEPM clients list (only available for changing groups, not domains). Simplest.
   
• Delete the client's entry in the SEPM clients list, then deploy new communication settings to client *
   
• Delete Hardware ID files from client, then deploy new communications settings to client **
   
• Use the MoveClient tool in the Tools/NoSupport directory of the SEP product media.

* Deploying new communications settings to a client must be done before the next heartbeat with SEPM, otherwise the client will re-register with the SEPM using its current group/domain settings. This heartbeat can be prevented by running smc -stop at the client.

** How to prepare a SEP client for cloning describes how the Hardware ID files may be deleted from the client so that it will re-generate a new unique ID. Given a new SyLink.xml file, the client should then register with the correct group and domain. NOTE: SEP Linux and Macintosh clients use a simple hash of the MAC address and system disk identifier; the Hardware ID for these clients will not change given the same hardware. Macintosh and Linux clients will require deletion of any corresponding client entries from the SEPM before a new SyLink.xml will change group or domain settings.