Targets used by active policies are not getting populated but remain at 0 members
Last Updated August 14, 2015
Targets used by active policies are not getting populated but remain at 0 members.
Many targets used by active/enabled policies have 0 members when they should have many. The only way to get it to populate the targets are to go into them individually, while running the SMP Console as a member of Symantec Administrators, and manually update the target.
However, after the NS.Complete Resource Membership Update…” schedule runs the target is reduced to 0 members again.
There were two contributing factors: 1. The GUIDs of some of the affected targets were represented in table ResourceTargetOwnerTrustees, but the Security Trustee assigned to the targets (a security role) that did not have permissions, directly or inherited, to the targets. The permissions of its parent security role had somehow been lost, possibly via an upgrade. 2. Many of the affected targets were not represented in the table ResourceTargetOwnerTrustees, so they were skipped during the process. All targets and filters should be registered in the table. It is not known how many were no represented in the table.
The following query will show all existing targets that are not represented in ResourceTargetOwnerTrustees and should be.
select i.Name as [Target],iat.ResourceTargetGuid from ItemAppliesTo iat join Item i on i.Guid= iat.ItemGuid leftjoin ResourceTargetOwnerTrustees t on t.ResourceTargetGuid = iat.ResourceTargetGuid where t.ResourceTargetGuid isnull orderby 1
Using the SQL script below reassigned the security trustee for the filters to that of the Symantec Administrators role. The Symantec Administrators role is static in that it will always exist, and it has the permissions necessary to touch targets etc.
='2E1F478A-4986-4223-9D1E-B5920A63AB41'-- Symantec Administrators
from ResourceTargetOwnerTrustees t
join ItemClass ic
If the query in factor #2 returns any rows then run the following SQL cursor script against the database. It will insert targets not represented in ResourceTargetOwnerTrustees into the table, and assign the role Symantec Administrators as their security trustee.