How can I automatically drop clients into specific groups by IP?
Updated: 21 May 2010 | 14 comments
This issue has been solved. See solution.
I have a fairly spread out enterprise consisting of a couple of hundred physical locations and can't for the life of me figure out how to set up SEP11 to drop newly installed machines into groups and sub-groups based on IP address. I can apply policies based on IP, but need to break down groups by physical location. Tips?
Discussion Filed Under:
Comments
You can create groups in SEPM
You can create groups in SEPM ,
And use the Find Unmanged Computer Option , Enter the range of the IP address and select the groups to which you want to deploy the clients
this will put the Clients automatiicaly into specfic group based on Ip address
Title: 'How to install clients using the "Find unmanaged computers" in the Symantec Endpoint Protection Manager'
Document ID: 2007121511043248
> Web URL: http://service1.symantec.com/support/ent-security....
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
You could always create a
You could always create a script that added new systems to specific AD OU'sbased on subnet during new deployments and then sync AD with SEP.
All excellent suggestions. I
All excellent suggestions. I got crafty and packaged the install enterprise wide to drop the clients into the Default group. In hindsight, I should have gone the standard route. I was just wondering if there was a trick that isn't mentioned in the support docs that would move existing clients between groups based on IP.
Per ThatDude, create Startup
Per ThatDude, create Startup Scripts in GPOs linked to the AD Sites that correspond to your subnets (...assuming, here, that AD Site boundaries map to SEPM Group boundaries). Use this technique:
https://www-secure.symantec.com/connect/articles/startup-scripts-and-sylinkdrop-better-together
There's a catch in your situation, though. You'll have to do it twice: Once to make the client unmanaged (drop a SYLINK.XML from the original distribution media to do so), then again to make it managed and move it to the correct Group. Once everyone's out of Default Group, you'll want to remove that part of the script to speed up boot times.
Also, modify your existing installation method to install unmanaged clients, and the Startup Script will put the client in the right Group. We've been doing that for years with SEP via GPO install, and a similar method with SAV for years before that. I've never had anything but trouble from Symantec's push installers; YMMV.
If your desired SEPM Group boundaries don't map to AD Sites, it will get more complicated. You can use Group Policy Preferences (if you have them) with IP Address Range targeting to create a Scheduled Task to run SylinkDrop with specific SYLINK.XML files. Or, assuming a straightforward subnet mask like 255.255.255.0 and single-homed machines, parse IPCONFIG output for the subnet in a batch file.
HTH
I appreciate the suggestion.
I appreciate the suggestion. Sounds like it will be fairly easy to implement if I can get our AD guys to make a few changes to line everything up. Thanks much!!
You're welcome! If it works
You're welcome! If it works for you, please return to mark my reply as Solved. (And I think, if you do, that will be the first time anyone's ever extended that courtesy!)
(No subject)
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
There is a script available
There is a script available with symantec support which will move the clients to corresponding group with respect to IP address range which we can specify in a text file.
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
How do we obtain this script?
How do we obtain this script?
Do you have any further
Do you have any further information on this script? That's exactly what I need to keep from having to restructure AD.
You have to open a a case
You have to open a a case with symantec technical support for getting it.This script is commonly used as a workaround for clients random movement among the groups problem in older versions.
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Thanks! Good information.
Thanks! Good information. I'll give it a try if I have trouble with ThatDude's suggestion. It seems to be working great so far. Just trying to automate it now.
I am interested in that
I am interested in that script too.
It worked!
Thanks for all of your help!
Would you like to reply?
Login or Register to post your comment.