Hi,
When a client is moved manually (or with the SylinkDrop or SylinkReplacer tools), it must first be deleted from Symantec Endpoint Protection Manager. After the client has been deleted, use the SylinkDrop or SylinkReplacer tool to apply the new Sylink.xml.
The database still has a reference for the client belonging to the original group, so when it checks in, the database places it into the group where last knew the client to exist.
Another way of interpreting this is that clients cannot dictate what group they belong to, instead, the manager determines group membership as it is based off a record in the database. That record must be expunged before a new group assignment can be applied.
To resolve this try the following : -
Delete the client from the Symantec Endpoint Protection Manager and then drop the new sylink.xml file.
-------------------------------------------------------------------------------------------------------------------------------------------
For detailed instructions see How to move Symantec Endpoint Protection clients to a different group...
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008020615383348