Morning all,

Does anyone know of a way to bulk copy a list of machine that are scattered all over our AD (we have lots of different OU's and Sub OU's), into a single SEPM group that is above (outside of AD). The only thing these machines have in common is that they are running a certian application. I searched by application and found the machines, but don't know how to move them en masse.

The method can be via the console or direct SQL, whatever works.

Having to do 2000+ machines 1 by 1 is becoming very tedious.

Thanks for any suggestions,

-Mike

Hello,

Client shown in AD canot be moved in SEPM, it will display the client in SEPM once you have Syncd it. After that you can push SEP Client on that computer.

If you have Integrated AD in SEPM by AD sync you will get the same structure that you have in AD. You cannot move the clients from AD group to SEPM group

That is not possible.There is no need to restructure our  AD in order to accommodate SEP.

Create the same AD structure in SEPM with the groups. By this you  should be able to move clients into a SEP group that will allow you  to apply different policies to these specific SEP groups’ machines. 

Policies will be created and assigned in the SEPM.

Check this Article -

Installing clients with Active Directory Group Policy Object

http://www.symantec.com/docs/HOWTO81177

Check these Threads with similar issue:

https://www-secure.symantec.com/connect/forums/move-back-sepm-groups-ad-structure

https://www-secure.symantec.com/connect/forums/move-client-group-active-directory

Hope that helps!!

Use the moveclients.vbs script

It is located on the ISO under the NoSupport folder.

if AD integrated client will  report to that OU only.

if you want to move clients between SEPM you can use this utility.

How do I move a large number of SEP clients to a new group at once?

Hi Brian,

Thanks for the tip...but after reading the insuructions, I'm not clear if this is what I need.

The computers in question are within our active directory, because of this, at least when doing it manually, we cannot "Move" machines around the AD structure or out of AD, we can on the other hand, "Copy" a machine, essentially alias it "temporarily" to another group outside of AD so as to apply custom policies.

This tool appears to only Move machines, I need to copy the machines to the new group so that when I'm done with them, I can just delete the object from the group and it will drop back down into AD where it belongs.

Bottom line, if I run this utility, will it actually just "Copy" the AD machines to the new group? Not try and move them?

Hope this makes sense.

-Mike

P.S. GO BLACKHAWKS!!!

Mithun,

Thank you for the reply...as I mentioned in my original post, I am trying to Copy machines in AD to a Group outside of AD, not Move them. I can do it manually via the console, but as I mentioned, it is very time consuming.

If the VPS script below can do a Copy, and not a Move on the AD machines...then I'm in good shape.

-Mike

Ok...from the MoveClient.pdf

"MoveClient.vbs is a Visual Basic script which, when properly configured, will move one or more clients from a SEPM group to another group of your choice based on the hostname, username, IP address or operating system of the client."

I think the highlighted part is my downfall, from one SEPM "Group" to another "Group". I believe "Copying" from an AD OU to a SEPM "Group" is not supported.

Any other suggestions...a straight SQL command that will get the job done?

Thanks again for all the repllies thus far!

-Mike

Hello,

That is not possible.

There is a need to restructure our AD in order to accommodate SEP clients.

Copying the clients would be like duplicating them in different groups and clients cannot report to groups at the same time.

Hope that helps!!

Hey Mike,

In my experience with it, they are moved, not copied.

The purpose of integrating AD OU with SEPM is to have your previous groups without needing to recreate.

By doing this its easy to assign policy.

If you want to move clients to diff group, then move those in AD to a diff OU.

Then assign the different policy in SEPM.

No matter what you do, once Inetegrated with AD they always move to there respective OU in the SEPM.

SEPM isn't very flexible in this regard. You either integrate it into AD, in which case you have to move machines around in AD to move them in SEP or you break the integration with AD, in which case you can arbitrarily create folders and move them around at whim.

Symantec hasn't yet come up with a mechanism to be more flexible - and I agree that re-arranging your AD to make an antivirus vendor's product happy is not (IMHO) a valid directory design criteria

Symantec still hasn't dealt with the problem that a computer account can only be part of one OU. Since they're using Microsoft's AD, they should take a page from the Group Policy team and develop a more layered and granular approach like the GP team did.

I find that the AD sync makes managing simple AD structures vastly easier, but its limitations make it chafe in a more complex arrangement. I personally prefer not to use the AD sync because of this. It's not a great solution, but it might be least-bad in your case.