1.1 Go to the node "Device Groups"
1.2 Right click then click on "Create Device Group..." - Do not rename the device group, it will be renamed properly when you will synchronize the device group with the active directory
1.3 Select the device group in the console then go to the sub node "Dynamic Population" > "Directory Server"
1.4 Right click, then click on "Assign Server..."
1.5 Select the OU you want to synchronize with this device group then click on OK, then OK again and finally on "Yes" and "Close":
 

 

You will obtain something similar to this:
 

 

1.6 Go through steps 1.2 to 1.5 again for each device group you need to synchronize from your AD

2- Synchronize your Administrator Groups:
Synchronize the administrator groups by geo.

2.1 Go to the sub-node "Global Settings" > "Administrator Groups"
2.2 Right click then click on "Create Administrator Group..." - Do not rename the administrator group, it will be renamed properly when you will synchronize the administrator group with the active directory
2.3 Select the administrator group in the console then go to the sub node "Dynamic Population" > "Directory Server"
2.4 Right click, then click on "Assign Server..."
2.5 Select the OU you want to synchronize with this administrator group then click on OK and OK again:
 

You will obtain something similar to this:
 

 

2.6 Select the type of authentication and the login type you want your administrators to use to authenticate to the console
Then click "OK" and finally "Close":
2.7 Go through steps 2.2 to 2.6 again for each device group you need to synchronize from your AD

3- Create a query to list the device group(s):
The administrators from the administrator group Admins.Mexico._By Geo.Support-1-BCM.local will not see the device group Computers.Mexico._By Geo.Support-1-BCM.local if a query isn't set in the dynamic objects of the administrator security profile.

- Go to the node "Queries"
- Right click and click on "Create Query..."
- Create a query of the type "Device Group"
- Click on the attribute "Name" then set it to "Equal to" and finally set its value to "Computers.Mexico._By Geo.Support-1-BCM.local"
 

   

There are three tabs to configure in the security profile settings of an administrator (group) :
 

4.1 Capabilities:
- Set the "View" capability to the objects "Device" and "Device Group", else your administrator will not be able to see any device (group)
- Set the "View" and "Manage" capabilities on the below objects:
 

Notes:
- If you don't set the capability "Manage" to the "Remote Control" object then your administrators will only be able to start a remote session and watch what is displayed on the target screen. They will not to be allowed to interact with it.
- The objects "Direct Access" and "File Transfer" are set to "View" and "Manage" because helpdesk administrator usually need to also be able to access and probably download or edit files on the targets, view the registry and the windows services statuses. In case your administrators must really only be able to take control of devices, it is not mandatory for these to be set.
- It is not mandatory to set the "Manage" capability on the other objects as well as the "View" capability but it's what is usually set by customers for this type of administrator.
- The object "Agent Configuration" is set to "View" only to work around a defect in 12.6 (DRZKZ-1985). This capability won't be mandatory starting from 12.7.

4.2 Static Objects:
For most cases, refining rights should be done in the dynamic objects, not in the static object tab. Basically, only top nodes should be set in the static objects tab of your administrator groups.

Here I had to add the device group folder "_By Geo" in addition to the top node "Device Group", else the device group Computers.Mexico._By Geo.Support-1-BCM.local would not display:



Note that only "Read Access" is set to these objects as the type of administrator this KA covers is not supposed to be able to create or edit existing device groups.


4.3 Dynamic Objects:
This is probably the most important section of a security profile as it will allow to fine-tune the objects that your administrators will be allowed to display and interact with. These objects will mostly be displayed from the results of your queries.
- Right click then click on "Add Results of Query..." and select the query you created in step 3: "Mexico Device Group Computers"
This will display the Device Group Computers.Mexico._By Geo.Support-1-BCM.local in the console
- Right click then click on "Add Members of Device Group..." and select Computers.Mexico._By Geo.Support-1-BCM.local
This will display the members of the Device Group Computers.Mexico._By Geo.Support-1-BCM.local in the console.



Notes:
- Direct Access and Remote Control Acknowledgement are both set to "Not Required" for testing purposes only. Usually these are set to be required, at least is the user is absent or that no one is connected. It is even mandatory to be set to required in some countries such as France.
- Displaying the members of the Device Group Computers.Mexico._By Geo.Support-1-BCM.local could also have been done from the result of a query which would list the members of this device group, but you would then have had to go through one extra step: create a dedicated query.
- Setting device groups as dynamic objects will not be sufficient to display and access its members, you will also have to use the results of a query or to "Add Members Of Device Group..."
- Same applies for object folders (e.g Device Group Folder)

5- Login as a member of this administrator group:
This screenshot shows which (sub)nodes the administrator should see and a remote control session:
 

This screenshot shows the search results:

There are dozens of other devices which names contains "sp" on this master but they are not members of the device group Computers.Mexico._By Geo.Support-1-BCM.local and are therefore not displayed.