Video Screencast Help

Active Directory issue

Created: 28 Dec 2007 • Updated: 21 May 2010 | 7 comments
I was curious if there is a way to get imported Active Directory users to connect correctly to SEPM? I've tried importing the users/groups through Active Directory, which works fine. Though when I install SEP to certain computers through either "migration" or "un-managed search" the computer itself gets the green light and works perfect. Yet, when I log into that client computer as one of the imported active directory users; on the SEPM console the imported users never change. Simpily just says they haven't connected. The only thing that does change is on the client list for "login client" to whomever is logged in.
I noticed I can just change to "user-mode" and the logged in users get added then. But does make the whole Active Directory import completely useless. This same issue also occurs when I add the users manually. Is there a work around or perhaps I'm doing something wrong? 

Comments 7 CommentsJump to latest comment

lawman 2's picture
lawman 2's picture
I’m a little confused on what you are trying to accomplish.  I think what you are seeing is by design.  Keep in mind the SEP policies can only be applied to groups not users. Active Directory OU’s get imported as groups.  So if all your PC and Users are in the same OU then there is no benefit to using user mode. 
When the client is in computer-based mode, the client uses the policy of the group to which the computer belongs. The applied policy is independent of who logs on
to the computer.
If you switch from computer-based mode to user-based mode, consider the following issues.:
¦ The log on user name is not already contained in any group. Switching to user-based mode deletes the computer name of the client from the group. It
then adds the user name of the client into the group.
¦ The log on user name of the client and of the computer name are both in the same group. Switching from computer-based mode to user-based mode deletes the computer name from the group. The client takes on the user name.
¦ The computer name of the client is contained in a different group from the user name. Switching to user-based mode changes the group of the client to the user’s group. A pop-up message informs you of the group's name change.
If you do import AD users and use user mode you can base your security off or AD groups witch might be helpful

See chapter 25 in the Admin guide for more information or post info on what you would like to accomplish.
kurrier's picture
I was just trying to import AD users to easily manage a policy through SEPM. Basically so I could have more of a user based policy instead of a computer one. Then could have the possiblility to set certian users with different privelages instead of computers. For example, it would be kind of useless to have a certain computer with usb unlocked when any user would have the ability to log on to that certain computer and take use of that function. Now if there is a way to import the AD users so they actually connect to SEPM when a client is installed on their computer. And I've read through the manual; followed all the steps, and nothing seems to resolve the issue.
Paul Murgatroyd's picture
when the computers appear in SEPM the first time, you need to switch them to user mode by right clicking the computer itself, from that point on they will use policies from the group the logged in user belongs to

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed:

kurrier's picture
Yes, I know that works fine; switching from computer-user mode, thus getting working user accounts added that way. Yet, that makes the whole AD import useless.
lawman 2's picture

I think your missing the point.  If you don’t import the active Directory or create users when you switch to user mode and a user logs in the  SEPM manager will create the user in the same group as the computer account and not change anything.  Say if you imported the OU’s IT-Group, HR-Group, Normal-users, and PC’s.  When the client connect the first time and SEPM finds a matching machine name in the PC ou that’s where the machine will be placed and the policy for that group will be applied.  OR if you exported a package and installed it on a client with the location of the PC group it would show up there and that policy would be applied.  Now if you switch to user mode and sue logs in SEPM looks to see where sue belongs If sue was part of the HR-Group (imported OU) SEPM will switch the Client to the HR-Group and apply the policy for that group.  If you did not import AD and Sue logged in SEPM would not be able to find a user so a user account would be created in the same group the PC was in and it would delete the PC account not really accomplishing anything since the same policy would be applied.

kurrier's picture
Ok, I managed to get AD import working with a single computer acount. Think I figured out the issue, just had import AD before installing package on clients. I'll have to mess with it more for users though.