Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Deleted AD Computers still showing in report as out of date

Created: 11 Mar 2013 | 19 comments

Computers that are removed from AD are still being listed in the Endpoint reports as having out of date definitions even though they no longer exist.

This is therefore giving an inaccurate report, any suggestions?

Ive checked that directory sync is on and set to 24 hours

cheers

Darren

Operating Systems:

Comments 19 CommentsJump to latest comment

.Brian's picture

What version of SEPM are you running?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

Are you using the SQL database? possibly the computer entries have not been cleaned up yet from there.

Here a similar case but on 11.x SEP:

https://www-secure.symantec.com/connect/forums/sep...

netmgr's picture

I suspect we are using the inbuilt database, its listed as

Embedded (SQL Anywhere)
SMLatCST's picture

The closest I can find to an article realtaing to this is below:

http://www.symantec.com/docs/TECH159592

Do the described icons apply to your environment?

netmgr's picture

The ones ive been testing seem to all appear under the tree of 'Default Group' rather as in an OU, does that give any clues?

I cant be certain thats the case for all, but certainly the ones ive looked at and I can indeed delete the manually, but thats not ideal

netmgr's picture

Rather oddly there are computer accounts in the same group that are listed as being on online, which they are, but not listed in AD...

EDIT: not strictly true, seems that the pre windows 2000 name is whats in AD its the dns name thats in SPM and in this case the 2 were different, so therefore the there are live machines in the group default that dont accurately reflect its correct OU

Rafeeq's picture

right click on the OU in SEPM and select sync now, you should get only those who are in AD. others will end up in Default

netmgr's picture

can you clarify 'others will end up in default' are you saying that if we delete a computer it will go into default?

how does it leave default? do we have to do that manually? because there arent enough in there to justify that idea, we have removed far more than whats in that group currently

Should the sync not happen on schedule every 24 hours? because these machines we are discussing have long been deleted

Sync Now is greyed out...

Rafeeq's picture

Managed Symantec Endpoint Protection (SEP) Client appears in Default Group instead of Active Directory Organizational Unit (OU) in the Symantec Endpoint Protection Manager (SEPM)

http://www.symantec.com/business/support/index?page=content&id=TECH95924
 
when you delete a OU in SEPM all the clients will report to default group. if you add them back, they will report to respective OU.
 
I think the Sync setting will be on your TOP most OU.
 
it should delete as per the setting to delete after X days under server settings. But not sure why its not doing that. are you using embedded or sql db?
Rafeeq's picture

You can try this manual data sweep

After you have performed this task, the log entries for all types of logs are
saved in the alternate database table. The original table is kept until the next
sweep is initiated.

http://www.symantec.com/business/support/index?pag...

netmgr's picture

were on embedded and i dont see a setting for delete after so many days

Rafeeq's picture

Was referring to this

Admin => Servers => Localhost => Edit Database Properties => General
Delete clients that have not connected for XX days.
SMLatCST's picture

Generally speaking, if you have an AD Sync'ed group in the SEPM, then delete group without doing anything to the clients themselves, when those clients next check in they will drop into the "Default Group".

Similarly, if a computer account in a synced AD OU is deleted, but the computer itself is still on and still has SEP installed, then it too will move into the "Default Group" in the SEPM.

Is it possible the computer accounts were deleted from AD before the computers themselves were decommissioned?

netmgr's picture

its possible they were used again after being deleted from AD.

Im starting to think this is something to do with our ghosting process. ill need to dig deeper

SMLatCST's picture

As you are on SEP12.1RU2, the "Delete clients that have not connected for specified time" setting is now under ADMIN -> Domains -> Domain Properties.

However, these should only really take effect for non-AD synced groups.

Ideally, for AD synced groups, the computer in question has had SEP removed from it (or been wiped) first, before its computer account is deleted from AD and synced back to SEPM.

Does this match your general processes?  If so, a record for the computers in question should not have appeared within the "Default Group" on the SEPM, and we'll need to look a little deeper.

netmgr's picture

I dont see an option for domains under admin

We dont remove SEP from clients before decommissioning them that would be extremely time consuming for a machine that is due to be destroyed.

SMLatCST's picture

Yup, essentially if the SEP Client on a machine manages to connect to the SEPM after the computer record has been deleted from AD (and subsequently the AD Sync'd group in the SEPM), then it will drop into the "Default Group".

At this point, even if the machine is blown to smithereens, the computer record will remain in the "Default Group" until the "Delete clients that have not connected for specified time" threshold is reached.  See the below article for the old and new locations of this setting:

http://www.symantec.com/docs/TECH176635