Login to the Symantec Endpoint Protection Manager -> Admin button -> Administrators panel -> Add Administrator task:
Or, if the Limited Administrator has already been created you can just select the Administrator and click on Edit Administrator Properties -> Access Rights tab -> Manage groups check box -> Group Rights.. button.
When this window appears Do Not highlight the group you want to change the access rights to:
Right-click the appropriate top level group and choose, "Set No Access to this group and all subgroups." If you do this from the My Company group then all the subgroups will be set. Then it is much easier to configure the smaller number of groups you actually want the Limited Administrator to have access to.
The "Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control" that is included in SEP 11 MR 4 discusses the default rights of a Limited Administrator on page 75, "By default, limited administrators do not have any access rights. You must explicitly configure reporting rights, group rights, command rights, and policy rights for this type of administrator." Note that this refers to not checking the boxes next to any of the main roles: View Reports, Manage Groups, Remotely run commands or Manage Policies. If these are left unchecked, a warning is displayed that the account will be created, but deactivated. The net result is if that account attempts a login, it will be refused and have no access to SEPM at all. Once a role is chosen, then the login will work and will only access the abilities that it has been granted.
As of MR4 MP2: When you select a Limited Administrator, choose Edit Administrator Properties, the Help screen for the "Administrator Properties for" now states: "The default enables limited administrators to have full rights over all groups". This addresses concerns for some customers who feel this was understated in the documentation in previous versions.