search cancel

Targets referenced by certain policies are grayed out and cannot be edited or updated.


Article ID: 162978


Updated On:


IT Management Suite


After an upgrade had been performed there were hundreds of active policies whose targets were not getting updated when the Delta Resource Membership update schedule ran. The targets could not be edited or manually updated because they were grayed out.

If the target was deleted and created again the problem was fixed for the policy. But there were hundreds affected.



Found in 7.5.1 and 7.6.  Possibly others.


The problem is rare so it is not understood why/how this condition occurred; but it is believed to be related to timing in communications between the SMP and the database server during an upgrade.

Within that window, or some other event the following had occurred (one or both).

  1.  The GUID (ResourceTargetGuid ) of the affected targets had their security owner changed to a user who no longer existed or the user/trustee who originally created the target no longer existed in the database and therefore could not be verified.
  1.  The ResourceTargetGuid of the affected targets had been removed from the ResourceTargetOwnerTrustee table so that the owner trustee could not be verified.

The following query will return the names of the affected policies, and the count of targets per policy that are problematic.

select distinct p.Name as Policy, COUNT(*) as [Affected Targets]

from ItemAppliesTo iat

 join Item p on p.GUID = iat.ItemGuid

 join Item i on i.GUID = iat.ResourceTargetGuid

 left join ResourceTargetOwnerTrustees rot on rot.ResourceTargetGuid = iat.ResourceTargetGuid

 left join SecurityTrustee st on st.GUID = rot.TrusteeGuid

where rot.ResourceTargetGuid is null  or st.GUID is null

group by p.Name

order by p.Name



Run the SQL script attached to this article. The script will do the following two procedures.

  1. Identify all targets whose security owner exists in ResourceTargetOwnerTrustee but cannot be verified. It will then change the security owner of all affected targets to be owned by "Symantec Administrators"
  2. Identify all targets that have no representation in ResourceTargetOwnerTrustee, and insert them into the table - also setting Symantec Administrators as the owner trustee.

Note: It is good practice and highly recommended that, before running any SQL script against a database, a backup of the database should be created first.


Fix broken or missing ResourceTarget Trustee Assignments.sql get_app