Endpoint Protection

I have a lot of machines running in user mode, I need to convert them to computer mode. When I run moveclients.vbs to convert them I get this error:

::Get group structure metadata
::Failed::

then eventually

Failed to retrieve client list from database.

I found an article out here that discusses how to change the script to get a more exact error. So I did that and I got this awesome message:

::Error number - -2147217865

I called that number but it was a pizza place. (thats a joke)

Anyone have any ideas ? Anyone know how to change 1000 machines to computer mode without using this script ? (dont say manually)

Thanks,

Justin

Just some basic stuff like:

• DB type (SQL/Embedded)?
• if SQL, can you confirm from the SQL logs if there are any failed logon attempts for the account you configured in the VBS?
• Does the ODBC connection test successfully?
• Do you have SEP domain setup within your environment, and are the the groups that contain the user accounts you're looking to switch, in the "Default" SEP Domain?
• Which text file are you using and would you mind posting it?

Ta 

DB type (SQL/Embedded)?

SQL 2008 Stand alone

if SQL, can you confirm from the SQL logs if there are any failed logon attempts for the account you configured in the VBS?

I'll have to ask our DBA.

Does the ODBC connection test successfully?

Yes it does

Do you have SEP domain setup within your environment, and are the the groups that contain the user accounts you're looking to switch, in the "Default" SEP Domain?

Yes, Yes, Default SEP domain

Which text file are you using and would you mind posting it?

Dim DBUser : DBUser = "sa"
Dim DBPass : DBPass = "thisisfake"
Dim TempGroupName : TempGroupName = "Default Group"

'--------------------------------------------------------
'Other settings
'--------------------------------------------------------

Dim DomainName : DomainName = "%"
Dim OnlyCheckClientsInTempGroup : OnlyCheckClientsInTempGroup = False
Dim SilentMode : SilentMode = False
Dim EnableLogging : EnableLogging = True
Dim sLogFile : sLogFile = "MoveClients.log"
Dim ConnectionString : ConnectionString = "DSN=SymantecEndpointSecurityDSN;UID=" & DBUser & ";PWD=" & DBPass

(Everything else is the same)

SwitchClientGroups.txt

ToComputer,Test Group

Thanks,

Justin

...Have you tested this out for a group that has no spaces in is namet?  Also, what version of SEP are you using?

No I havent, but I'll give it a shot.

My DBA thinks he's narrowed down the query that fails:

 sql = "Select CONTENT from BASIC_METADATA where TYPE = 'SemClientGroupTree' and DOMAIN_ID = '" & DomainID & "';"
 'LogEvent(" ::Group structure metadata Query: " & sql & vbCRLF)

From a wireshare trace I can see the query. Every time DomainID is referenced it shows:

DOMAIN_ID = '';E~#Invalid object name

It's weird because my DBA can see queries from DOMAIN_ID responding with the correct value.

I'm wondering if I can hard code the Domain_ID in the script. Maybe whatever process the script is trying to gather DOMAIN_ID is failing, therefore breaking the script ?

Justin

If you remove the comment from the LogEvent line, you'll get the effective SQL command the vbs script generated. This may be interesting because the script is perhaps failing in retrieving the domain id.

Hi,

have those clients been deployed in computer mode?

If yes, this is their preferred mode. You can then use the "search clients" in the Clients panel to find all User accounts (select User on the top-left dropdown list and use the * to get all of them); make multiple selections and delete all of them, you will spend few minutes to do it even for 1000 clients; after that, all clients will register again in the SEPM according to their preferred mode, i.e. in computer mode. No reason to waste time with complex tools when an easy solution is available.

Beppe,

I like that idea but when I search, I get 445 pages of results. That'll take more then a few minutes to clear them all. Anyway to change the paging so I can get more then 30 results per page ?

Justin

...via the filter button near the top-right within the Clients section.  There's a "Results per page" option at the bottom which is where you can increase it.

thanks but that filter button doesnt affect results in the Search Clients window.

Hi,

so, do you have more than 12,000 clients in user mode? How many clients are still in computer mode?

Try this different approach:

1) go to the Clients panel and manually browse your groups, try to find those where there are most of clients in user mode

2) on top-right corner, select "only users" and increase the number of results per page

3) make a big multiple selection and delete all

4) when you feel you have deleted most of those user accouts, use Search Clients to find the rest and delete them

I see what you mean. Ok, I deleted them all but some keep coming back. Does that mean they were deployed in user mode ? All my installs are computer mode.

THanks,

Justin

If clients are coming back into user mode, try the following:

Clients > [Group] > Policies > Communication Settings > Under "Reconnection Preferences" disable "Use the client's last User mode / Computer mode setting".

However, this setting only exists if you have SEP 11 RU6 or later.

You still didn't answer SMLatCST's question for your SEP version

Sorry, SEPM is 12.1 RU1 MP1, Clients are a mix of 11.6 and 12.1. I'll give that a shot.

Justin

That's strange...

keep deleting them...

In simple words, it works in this way:

- if the account (computer or user) already exists into the DB, use it (regarless preferences on the client)

- if the account does not exist, use the last used group/mode (if enabled)

- if the "use last used group/mode" feature is disabled, use the preferred ones.

So, the possible reasons of having those clients back in user mode are:

a) not all user accounts have been deleted

b) the "use last used mode" is enabled for the preferred group

c) the preferred mode (set at installation time) is the user one

How to know it:

 have a look at this registry key of some of those clients

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

you will recognize values like preferredgroup, etc... some scenarios could be:

1) preferred mode is computer and last/current mode is user:

reason a) or b)

2) no last/current mode or set to computer and preferred mode is computer:

reason a)

3) no last/current mode and preferred mode is user:

reason c)

Please, note that this a way to prevent clients change mode once the last/current mode is the right mode.

Greetings!

Here is a quick fix for the issue you are running into with the MoveClients utility:

Dim DBUser : DBUser = "sa"
Dim DBPass : DBPass = "thisisfake"

This is likely incorrect, you will need to use the database user that is associated with database you created. Typically this is the "sem5" user, so just change the user name and password to match the name/password you used when you installed/created the SEPM database and the utility should work without issue (assuming there are no association/mapping issues with that user account, we can likely still get it working even if that's the case though by creating a new account with the proper mapping if needed).

Hope that helps!

Edit: Actually, I just realized that I was recently assigned to assist the technician on the case you opened as well (pieced it together from your user name and first name in your posts). Joel will be calling you on Monday to walk you through the process and give you all the details about why the sem5 account is needed, but if you happen to still be working on it tonight/this weekend, you can try this out before then. If that doesn't take care of it we'll try to get you all squared away on Monday. Have a good weekend!

Thanks for the response. Yes, I realize that "thisisfake" isnt the real sa password. I changed it because I didnt want to post my sa password on the internet. I can assure you though that I have the correct sa password in the script.

Thanks.

Ah, I think you misunderstood. The problem wasn't the password, it was the account. The SA (System/SQL Administrator) account isn't associated with the SEPM database, only the original account you created the database with is.

The default database user account that is created when you install the SEPM is "sem5". Try the utility with that account and the password for that account and that should take care of the problem.

Ok so yes,

The problem was that I couldnt use the sa account. I had to use sem5. The problem with that is I didnt have that password. It was created by someone else long ago. I didnt want to change the password in fear of breaking stuff. My Symantec tech had me create a new database user using this procedure:

1. Login to SQL Server Management Studio
2. Expand Security
3. Right click Logins->New Login
4. General->Type a Login name: (your choice)->Set SQl Server authentication->Type a Password: (password)->Set Default database: to sem5
5. Server Roles->Server roles: public
6. User Mapping->Users mapped to this login:->Check sem5->Ensure the User field is set to the user name created in step 4->Set Default Schema to sem5->Under database role membership for: sem5->Check db_owner and public
7. Click OK

Then it worked. Thanks everyone for the responses.

Glad we could help!