Unable to move client to a different group using MoveClient.vbs
search cancel

Unable to move client to a different group using MoveClient.vbs

book

Article ID: 164674

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You have a Symantec Endpoint Protection Manager with embedded database. When you try to use the MoveClient.vbs script (contained in the NoSupport\MoveClient folder) to move clients from My Company to an alternate group (e.g. Default Group), the operation fails, although you use the exact same settings and HostGroups.txt configuration as described in the accompanying MoveClient.pdf documentation.

MoveClients.log:

########################################################################
# Begin MoveClient        2/16/2017 2:27:19 AM
########################################################################
2/16/2017 2:27:19 AM Testing connection to ODBC DSN
        ::Success
    ::Root Group Name: My Company
    ::Domain Name: Default
    ::DomainID: DD8922C9C0A802696FB00FE2E223FAC4
        ::Success
    ::Temp Group for this run: My Company\
    ::Get Temp GroupID 
        ::Failed
    ::Get NewUSN: 124064
        ::Success
2/16/2017 2:27:19 AM : Start structure metadata Query
    ::Get group structure metadata
        ::Success
    ::Processing Hostgroups.txt
    ::Win10 -|- default -|- Default Group
    ::Checking for clients to move
        ::Failed to move Client 'Win10' User 'Administrator'.  The new group is invalid.
########################################################################
# MoveClient Ended with Failures        2/16/2017 2:27:21 AM
########################################################################

and

###################################################################
# Begin MoveClient        2/15/2017 11:56:44 PM
###################################################################
2/15/2017 11:56:44 PM Testing connection to ODBC DSN
::Failure. Return Code: -2147217843 - Incorrect Username/Password
###################################################################
# End MoveClient        2/15/2017 11:57:02 PM
###################################################################

Environment

Symantec Endpoint Protection Manager 12.1, 14

Cause

1. The MoveClient.vbs script by default only allows to move clients between My Company subgroups, e.g. My Company\Default Group and My Company\MyGroup1, as demonstrated by the following excerpt that shows the SQL statement the script uses to obtain the list of clients to be moved from the specified group (TempGroupName, which is "Default Group" by default in the script), as a subgroup of RootGroup, which is My Company:

sql = "Select * from IDENTITY_MAP where TYPE = 'SemClientGroup' and name like '" & RootGroup & "\" & TempGroupName & "' and DOMAIN_ID = '" & DomainID & "';"

2. The MoveClient.vbs script by default uses the following DBUser and DBPassword:

Dim DBUser : DBUser = "dba"
Dim DBPass : DBPass = "symantec"

You may believe that, because you log on to the Symantec Endpoint Protection Manager console with user "admin", DBUser should be changed to the same. You may also not know the database password. Both scenarios would lead to the ODBC DSN error shown above. If the double quotes are omitted around the database user name or password, running the script will fail with a "Variable undefined" error.

Resolution

1. If you wish to move clients from the RootGroup (My Company) to another group, you can alter the default behavior by removing the underlined part shown in point 1 of the Cause paragraph above from that specific line in the script. It should be noted that the script will then obviously only work for any clients present in RootGroup (My Company).

2. For a Symantec Endpoint Protection Manager embedded database, the DBUser is always "dba". DBPass should be set to your custom database password. After setting the correct database password in the script and ensuring both entries are surrounded by double quotes, please perform the following procedure:

a.  Open odbcad32.exe (ODBC Data Source Administrator (32-bit)).

b. In the System DSN tab, select the SymantecEndpointSecurityDSN data source, then click the Configure... button.

c. In the Login tab of the new ODBC Configuration for SQL Anywhere window that appears, enter "dba" (without the quotes) in the User ID field and your database password in the Password field. If unsure about the database password, run the Management Server Configuration Wizard and reset the embedded database password (the related page is the third one, following the ports assignment).

d. In the ODBC tab of the same window, click the Test Connection button. It should report Connection successful at this point, click the OK button twice to exit.

Note that, contrary to the DBUser and DBPass entries in the script, the destination group(s) in Hostgroups.txt should not be surround by double quotes, even if they contain a space. If, for example, after making the alteration described in point 1 above, you wanted to move a single client called Win10 from "My Company" to "Default Group", the Hostgroups.txt file should have the following content:

Win10,Default Group

Powered by Wolken Software