Symantec Management Platform (Notification Server)

I'm running SMP 7.5 where AD Import is the only means I've enabled to pull in workstations.  However, I've had cases where servers somehow get included and end up getting the SMA on them.  Where OUs are concerned in AD, it's not like I can select just a Workstations OU so I rely on Altiris' AD Import option to only pull in workstations.  It's as though AD Import erroneously "thinks" some server objects are workstations instead.  Has anyone seen this behavior before?

Hi Clint,

The default 'workstation' vs 'server' filtering is based on 'operatingSystem' property of the AD entry for a computer.

The search checks it for '*Server*' pattern, and if it's not there - the machine is treated as 'workstation'.

In case, when this propery is not in customer's AD or not populated in that way - there is a possibility to get around the issue:

* in the same filtering dialog, there is a "Advanced Import Constraints" input field with checkbox

* check it and specify your own LDAP filter to be used, based on whatever properties your AD structure can be used to check if machine is a server or not...

For example:

(customPropertyName=*workstation*)

You can use complex syntax with multiple checks if you are familiar with LDAP syntax:

!(&(operatingSystem=*server*)(machineLocation=secured basement))

Hope this helps,

Juri.

I checked the server's object via AD Explorer where the operatingSystem property name does indeed include "server" in it.  I'm running early morning AD Imports where I deleted the server's entry from my Altiris database yesterday and it hasn't repopulated today.  I'll check again tomorrow and next week to confirm any servers don't show up again.

I'm now wondering whether AD Import isn't to blame but instead the scheduled agent push is somehow grabbing the server name although from where?  Again, I haven't scheduled "Domain Membership/WINS Import" so curious how SMP is getting server names.

Actually, I should mention that during this incident, only a single server was affected but in the past I've had up to 3 servers get the SMA by mistake.  Oddly they've been the same set of servers which kind of points to something off in their AD object properties.

Oh...I had to redo my Agent Install target awhile ago.  It now starts with "All Resources" instead of "Computer".  If I'm to set it back to "Computer", can you please confirm that the entry under All Resources->Asset->Network Resource->Computer is the correct selection?  I needed to exclude some workstations from the agent push and since you can't edit the precanned target I was forced to delete and create a new one.  Could this be the problem?

After suspending my automatic SMA pushes so just my AD Import job runs each night, there have been NO servers pulled into inventory.  This leads me to believe that the servers are somehow being introduced during the scheduled agent pushes.  At first I thought perhaps something was goofy in AD where some servers were tagged as workstations but if the nightly AD imports aren't pulling these same machines back into Altiris' inventory after I deleted them, don't think this is the case.

My target filter starts with "Computer" then excludes resources not in "Windows Computers with no Symantec Management Agent Installed" then excludes resources in "SMP Client Exclusions" which is a simple filter that has a list of computers I don't want the agent pushed to.  Anyone see a problem with my target filter?

Clint,

You say, your target is only excluding a list of some machines ('smp client exclusions') - does it (this list) contains the machines, which you don't want to get SMA pushed to?

I wonder, how you have defined this list? Because to do it - you have to have the computer resources in NS for these machines, which you want to exclude.. Where from they came? What resource keys do they have?

Juri.