Symantec Administrators (2E1F478A-4986-4223-9D1E-B5920A63AB41) doesn't appear in this string until character 353+ which means that it was cut off before any role membership with any permissions could be evaluated against computers the console user can see.
This is a minor defect that has been reported.
This issue has been reported to the Symantec Development team. A fix has been included under the ITMS 8.5 RU2 release.
In the meantime as workaround:
Two options got around the problem.
Removed the user from all roles but Symantec Administrators. However, if the user is a member of security groups in AD, and those groups are imported via an import rule, then the membership dillemma will come back.
ALTER sp_SetupGetComputers to allow @Trustee to accept (max) (run SQL query from attached file "Alter sp_SetupGetComputers.sql" against the database.)
Added a section to spGetTrusteeMembership which tested for membership of Symantec Administrators and, if membership existed, it returned the following three role GUIDs only (run SQL from attached file "Alter spGetTrusteeMembership" against the database)