The Symantec Administrators Role membership is not syncing between servers

book

Article ID: 162938

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

The membership of the Symantec Administrators Role does not match on the Parent and Child servers. 
For other roles this resolved by changing the core setting “SyncRoleMembershipExactlyDuringReplication” to false, but the Symantec Administrators role ignores this setting.

Cause

This is the designed behavior to avoid the risk that all access is inadvertently removed from the child NS. 

Resolution

The workaround to this would be to use another role for the membership then add it to the Symantec Administrators.  That way membership can be controlled through the additional role.

There may also need to be some cleanup that needs to occur on the Child to remove any undesired membership that will not be cleaned up automatically.

On the Parent Notification Server 

  1. Open Settings> Security> Account Management
    1. Click the blue plus sign to create a New Role and give it the desired name for example (SMP Administrators)
    2. Select the Members Tab and add any Roles and Accounts that should be Symantec Administrators
    3. Select the Member Of tab and add Symantec Administrators
    4. Do not add any other Privileges as they will get everything they need from being a member of Symantec Administrators
    5. Save Changes
  2. Select the Symantec Administrators Role for the Role list
    1. Select the Members Tab
    2. Remove all members that were added in the previous step EXCEPT for the Application Identity and the new role
    3. Save Changes
  3. Open Windows Explorer 
    1. Browse to C:\ProgramData\Symantec\SMP\Settings
    2. Right click on the CoreSettings.config file and select Edit
    3. Search for “SyncRoleMembershipExactlyDuringReplication”
    4. On the line with this text change make sure it says true as shown below
      <customSetting key="SyncRoleMembershipExactlyDuringReplication" type="local" value="true" />
    5. Save Changes and close the file
    6. Restart Altiris and IIS Services

On each Child Notification Server do the following step

  1. Open Windows Explorer 
  2. Browse to C:\ProgramData\Symantec\SMP\Settings
  3. Right click on the CoreSettings.config file and select Edit
  4. Search for “SyncRoleMembershipExactlyDuringReplication”
  5. On the line with this text change make sure it says true as shown below
    <customSetting key="SyncRoleMembershipExactlyDuringReplication" type="local" value="true" />
  6. Save Changes and close the file
  7. Restart Altiris and IIS Services

From the Parent Server initiate a Differential Replication to all Child Servers or wait for the schedule to run.

Optional Step – After replication has completed and the new role with appropriate membership has been replicated the Symantec Administrators role membership can be cleaned up on the Child Notification Server following the Steps Below.

  1. Open SQL Management Studio
  2. Run the following against the Symantec_CMDB (or custom named) database, this will show what will be deleted so that if there are any concerns they can be addressed.  The results should include Roles and Accounts that should no longer be part of the Symantec Administrators group and Accounts and Roles that were added to the Role created in step 
    NOTE: Make sure to change the text that says NAME OF ROLE CREATED IN STEP ONE to the correct Role name or it will be deleted as well.
    select  p.Name as RoleName,  c.Name Membership, ra.*
    from ResourceAssociation ra
      join vRM_Security_Resource_Item p on p.Guid = ra.ParentResourceGuid
      join vRM_Security_Resource_Item c on c.Guid = ra.ChildResourceGuid
      join ItemImportMethod piim on piim.Guid = p.Guid
        and piim.ImportMethod = 3
      join ItemImportMethod ciim on ciim.Guid = c.Guid
        and ciim.ImportMethod = 3
    where ra.ResourceAssociationTypeGuid = '63468F04-6751-448D-891C-B59906360A27'--Role Trustee
      and ra.ChildResourceGuid <>(select Value from ServerSettingGuids where Name = 'AppIdentityGuid')
      
    and c.Name <> 'NT Authority\System'
      and ra.ParentResourceGuid = '2E1F478A-4986-4223-9D1E-B5920A63AB41'
      and c.Name not like '%NAME OF ROLE CREATED IN STEP ONE%'
  3. Assuming the results above look correct run the following to remove the role membership
    NOTE: Make sure to change the text that says NAME OF ROLE CREATED IN STEP ONE to the correct Role name or it will be deleted as well.
    delete ra from ResourceAssociation ra
      join vRM_Security_Resource_Item p on p.Guid = ra.ParentResourceGuid
      join vRM_Security_Resource_Item c on c.Guid = ra.ChildResourceGuid
      join ItemImportMethod piim on piim.Guid = p.Guid
        and piim.ImportMethod = 3
      join ItemImportMethod ciim on ciim.Guid = c.Guid
        and ciim.ImportMethod = 3
    where ra.ResourceAssociationTypeGuid = '63468F04-6751-448D-891C-B59906360A27'--Role Trustee
      and ra.ChildResourceGuid <>(select Value from ServerSettingGuids where Name = 'AppIdentityGuid')
      and c.Name <> 'NT Authority\System'
      and ra.ParentResourceGuid = '2E1F478A-4986-4223-9D1E-B5920A63AB41'
      and c.Name not like '%NAME OF ROLE CREATED IN STEP ONE%'