Some client computers run in User Mode instead of Computer Mode when Symantec Endpoint Protection Manager is synched with Active Directory

Article:TECH131749  |  Created: 2010-01-16  |  Updated: 2010-01-09  |  Article URL http://www.symantec.com/docs/TECH131749
Article Type
Technical Solution


Issue





Symptoms
-Symantec Endpoint Protection Manager is synched with Active Directory.

-Customer imported user objects and computer objects when synching with Active Directory.
-Customer installed Symantec Endpoint Protection clients in Computer Mode.
-Some of the clients appear in User Mode instead of Computer Mode.
-There are duplicate entries for the same client: one entry is for the client in User Mode, and the other is for the client in Computer Mode.
-The entry for the client in Computer Mode is off-line, while the entry for the client in User Mode is on-line.


Solution



There are two possible solutions.

Solution 1: Remove Active Directory Synching, and organize clients by Client Group
  1. Completely remove Active Directory Synching from Symantec Endpoint Protection Manager. This will move all clients into the Default Group.
  2. Switch all of the clients over to Computer Mode.
  3. Rebuild the client groups using Symantec Endpoint Protection Manager. (Do not synch back up with Active Directory)
  4. Move the clients into the right client groups.
  5. Reapply your policies to the right client groups.

Solution 2: (This one might require changing your Active Directory structure. This will not fix some other Active Directory Synching issue that might happen in the future.)
  1. Completely remove Active Directory synching from Symantec Endpoint Protection Manager. This will move all the clients into the Default Group.
  2. In Active Directory make sure that you have your user objects and computer objects separated into different OUs. (This is a must to fix this issue)
  3. Sync Symantec Endpoint Protection Manager up with Active Directory. Make sure you only import OUs that only have computer objects. (You will want no user objects to be imported into Symantec Endpoint Protection Manager.)
  4. As the clients check in they should be moved from the Default Group into their proper client group.
  5. All the clients should now only run in Computer Mode.
  6. Reapply your policies to the right client groups.





Technical Information
Microsoft recommends keeping user objects and computer objects in different OUs:

http://technet.microsoft.com/en-us/magazine/2008.05.oudesign.aspx
http://technet.microsoft.com/en-us/library/cc783140(WS.10).aspx



Legacy ID



2010041609473848


Article URL http://www.symantec.com/docs/TECH131749


Terms of use for this information are found in Legal Notices