Endpoint Protection

Hi, We are running SEP12 RU6MP1 in our environment. Our SEP infrastructure synch with AD. AD synch is set to occur hourly. When configuring GUPs, we move the machine to be configured as a GUP to a certain OU container in AD. The machine moves to the correct OU in AD, but on the client, it stays on another OU.

I have created a package pointing it to the correct OU, installed it on the server. It seemed fine. After some time, the client SEP group moved back into the incorrect OU container. What might be causing this issue?

Thanks in advanced,

Mabunda

Is the client moving to the AD OU where the computer is registered?

Hi, in Active directory, yes

On the SEP client, it is in another group.

Ok, if you synch with AD the GUP will move to the OU container of AD.

Hi,

Here is the AD group (This is where the client should be in):

IT/Servers/SEPMs and GUPs/*OU Name*/*GUP Name*

Group Name in the SEP client

My Company\saps\IT\Servers\Gauteng

check the Group the client is pointing to

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

Value:Preferredgroup

interesting!

There is no group entry there. There are two strings there.

1. Default

2. SylinkFileChecksum

is that particular OU is synced in SEPM and is the client machine a cloned machine by any chance.

Hi, and yes, that OU is synched in SEPM and we synch the whole AD.

No, the machine is not cloned, it is a newly created VM Win Server 2012 R2.

by any chance is the client trying to register itself to the new OU or no attempts ? and also what is the group name it shows in the client console ?

I do not see any attempts of it trying to register itself to the new OU.

On the SEP client, it shows that it is on: My Company\Company\IT\Servers\Gauteng

It is suppose to be under: IT/Servers/SEPMs and GUPs/*OU Name*/*GUP Name*

is it happening for all the clients or only one client ? and have you tried to reinstall it ?

I have tried re-installing and it is happening on about 7 servers. We have more than 500 GUPs in the environment.

I suppose it is time for you to engage support. raise a ticket with them.

Thanks Praveen. I will do just that.

Out of curiosity, while the client reports staying in the original OU, do you actually see a record for the client in the AD-Synced group from the SEPM side view?

I'm wondering if:

1. The sync is not working, or
2. You've copied this client out of an AD-Sync group in the past (http://www.symantec.com/docs/TECH142225)

Hi, I have downgraded the SEP client from SEP12 RU6MP1 on the GUP server to SEP12 RU3 as a test. To my surprise, it works the way it should.

I have logged a call support with Symantec.

well that's interesting, keep us posted on the developments made.

Steps taken since it’s Win Server 2012,

1. Stopped the SEP client on the GUP server.

2. Opened “regedit”

3. Navigated to “HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylink\”

4. Double clicked on “HardwareID”, cleared the value and clicked on ok.

5. On explorer, I navigated to the following path: “C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData”

6. Renamed “sephwid.xml” to sephwid.old

7. Restarted the server

8. Problem sorted.

were you imaging your server OS as well ?