The customer has the following Microsoft security group Management:
Users as members of Global Groups
Global Groups are members of Local Groups
Local Groups are targeted by NS Import for Account and Role imports
In SMP 7.1 SP1 the targeted local security groups would import both users and groups that are directly assigned to that group. If the member was a group, then another role was created for this group and the process repeated for this group which loaded groups and users which is a member of that group.
Now in SMP 7.1 SP2 only the users are processed within the targeted group while the groups assigned to that group are ignored.
In fact when a FULL AD import runs the existing membership associations between the groups is deleted and the customer Console access is removed except for the Application Identity which is a direct member of the Symantec Administrators role.
This has completely broken the customer security model as they have setup as per Microsoft best practices for security. The customer would be unable to approve or maintain new groups where the memberships are users directly.
This issue has been reported to the Symantec Development team. A permanent fix will be provided in the next major release, in this case ITMS 7.1 SP2 MP1 and ITMS 7.5.
Note: A separate standalone pointfix is available for those that have SMP 7.1 SP2 Rollup v4, which addresses the following issues with: a) AD Account and Role Import no longer traverses groups inside the imported group. Groups within the membership of a group are not processed or associated to the parent group. b) While trying Sites and Subnets AD Imports, an extra '\' (backslash) character is added to the subnet information. c) Computer AD Import rule does not add computers from nested AD groups into the post import directory filters. (TECH195912)
See attachment "Pointfix_eTrack2731779_2794810_2823775_ 7_1SP2_Rollupv4.zip"
ASSOCIATED ETRACKS: 2731779 2794810 2823775
As well the following scenarios were tested: 1. When all group members are located in the same domain 2. When group members are located in other trusted Domain 3. When group members are located in other Parent and Child domains 4. Full Import for Security Groups, Distribution Groups, Sites and Subnets. 5. Import of Nested Security Groups for roles and accounts. 6. Update import rule for sites and subnets.
HOW TO INSTALL THIS POINTFIX 1. Extract files from the archive to the NS hard drive. 2. Make sure PointFix is extracted not to Altiris install directory (or any subfolder to it)!!! 3. Execute PFInstaller.exe with administrative privileges (right-click > Run as administrator). 4. Accept UAC (User Account Control) prompt, select Install Files. Note: Old files will be automatically copied to the PointFix’ subfolder ‘Backup’. 5. The following regkey is created as reference: HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Pointfixes\NS 7.1 SP2, 2794810
THIS POINTFIX HAS THE FOLLOWING KNOWN ISSUES: It is recommended to use ‘Full Import’ instead of ‘Update Import’ for the affected group (that were partially imported), otherwise all group members will be imported, but their associations (member/member of) will be lost. Update Import for Subnet and Sites is not working properly.
HOW TO UNINSTALL POINTFIX 1. Make sure that Backup subfolder is located in PFinstaller’ directory 2. Execute PFInstaller.exe with administrative privileges (right-click > Run as administrator). 3. Accept UAC (User Account Control) prompt), select Uninstall Files.