AD Sync - still have random clients in "default group"
With the exception of a few servers that are not imported from AD, every single OU from AD is imported into SEPM. Everyday, about 50 clients roam in and out of the "default group". The clients act normally otherwise, they receive policies (as assigned to the "default group"), detect issues, update as expected, etc. I just cannot figure out why they "roam" back and forth to the default group. Not always the same exact clients do this.... I am saying that there is always about 50 clients in the default group when I would expect there would be none, as all these clients are legitimate members of a different OU.
I've tried modifying the group membership (in SEPM) by using the SYLINK, but it really has no effect - as I expect it wouldn't any way. The AD OU's are synced to SEPM, so that should take control, right? Am I missing something obvious on that issue?
I've read some links about deleting files on the client that will get automatically recreated upon sync, I've done that, but they still show up in the wrong SEPM group.
On any one particular client, if I just wait (days, sometimes many days), the client does seem to eventually move to the right group, but by then, different clients are doing the default group shuffle......
Comments
This has also been a problem
This has also been a problem for me as long as I can remember with no true solution.
One thing that did work for me was moving the client to a different AD group, one that was not synched with AD. Wait for replication to do its thing. Run a sync in SEPM. Then once it was removed from the SEPM, move the client back to an AD group that was synched with SEPM, wait for replication, then run the sync in SEPM again and it would then appear in the correct group in SEPM, no more Default group....real painful process but it worked.
Not sure if you've seen this already:
Managed Symantec Endpoint Protection (SEP) Client appears in Default Group instead of Active Directory Organizational Unit (OU) in the Symantec Endpoint Protection Manager (SEPM)
http://service1.symantec.com/support/ent-security....
You can also try replacing the sylink.xml file on the trouble client with one from the correct AD group
Using the "SylinkDrop" utility
http://service1.symantec.com/support/ent-security....
Endpoint Knowledge Base
Security Best Practices
The clients that are moving ,
The clients that are moving , they are in which mode?
I think they are in User mode??
What i think that can be done is:
1. You can run Move_Client Utlity from the No Support folder ( Only after removing the AD sync) ( This will change the clients to user mode and also move them to their respective group)
2. Block new clients to the Default group
Also you can have a look at the thread
https://www-secure.symantec.com/connect/forums/move-client-group-active-directory
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
All 7000 (approx) clients are
All 7000 (approx) clients are in computer mode.
Block the default group? Explain further please...
Right Click on Default Group
Right Click on Default Group --Properties--Block New Clients
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
If you block clients from
If you block clients from this group, where will they go?
I do have some clients that have to go in the default group because they are not in AD but instead a workgroup but still managed by the SEPM
Endpoint Knowledge Base
Security Best Practices
Brain , this is work around
Brain , this is work around that we provide , when we have clients moving from one group to another.
In your case you can block new clients to all groups accept the default group
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Would you like to reply?
Login or Register to post your comment.