Video Screencast Help

how to use an Active Directory account and password to login to SEPM

Created: 02 Jan 2012 • Updated: 05 Jan 2012 | 7 comments
Mohankumar's picture
This issue has been solved. See solution.

Hi hall,

Ineed solution for this query 

How to use and Active Directory account and password to login to the Symantec Endpoint Protection Manager

Comments 7 CommentsJump to latest comment

andykn101's picture


Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

ohzone - CherylPeterson's picture

I have moved this to the SEP forums


Endpoint Management,
Endpoint Virtualization
Managing Mobility
Community Manager
Need Altiris help? IRC chat #Altiris

AR Sharma's picture

Please find short, step by step guide in the link below.

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

AR Sharma's picture

Please also note that AD username is not case-senstive, but users created in SEPM is case sensitive. In such scenario, AD authentication may happen and SEPM authetication may not happen. Remember to use proper case as defined in SEPM.

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

pete_4u2002's picture

check the article

To setup a SEPM administrator account to use Active Directory authentication, Steps A and B are required. You will configure SEPM to communicate with the Active Directory server(s), and then create a new Administrator.

Steps A - Add the Active Directory Server to your SEPM:
1. In the Symantec Endpoint Protection Manager console, click Admin.
2. In the Admin page, under Tasks, click Servers.
3. In the Admin page, under View Servers, select the Symantec Endpoint Protection Manager to which you want to add a directory server.
4. In the Admin page, under Tasks, click Edit Server Properties.
5. In the Server Properties for name of site dialog box, click Directory Servers.
6. In the Server Properties for name of site dialog box, click Add.
7. In the Add Directory Server dialog, type the name for the directory server (domain name) that you want to add in the Name field.
8. In the Add Directory Server dialog, check Active Directory as the Server Type.
9. In the Add Directory Server dialog, type the IP address, host name, or domain name in the Server IP Address or Name field. You must type the IP address, host name, or domain name of the Directory Server that you want to add.
10. Type the user name of the authorized directory server account in User Name field.
11. Type the password for the Directory Server account in the Password field.
12. Click OK.
13. When you click OK, SEPM will test the connection with the added server, if anything is wrong, the test will fail & will give you an error message: "The server failed to connect to the target directory server".
14. Check your configuration and try again till it comes without an error.

Steps B - Create a new SEPM Administrator account:
1. On the Symantec Endpoint Protection Manager console, click Admin.
2. On the Admin page, in the Tasks pane, click the Administrators.
3. In the Tasks pane, click Add Administrator.
4. In the Add Administrator dialog box, enter the administrator name in the first text box. This name is the name with which the administrator logs on and by which the administrator is known within the application.
NOTE: You can enter any user name you want besides the default "admin" user name, it does not have to be an Active Directory user name.

5. Optionally enter the full name of the administrator in the second text box (this field is for informational purposes only).
6. Leave the password fields blank.
7. Specify the 'Authentication type' by clicking Change.
8. In the Administrator Authentication dialog box, select Directory Authentication.
9. Select the Active Directory server you created in Steps A-7 in Directory Server box.
10. In the field Account Name enter your account name as it appears in Active Directory.
11. Click OK twice.
12. Logoff SEPM and try to login again:
          a. Use the username you created in Steps B-4 (remember username is case sensitive).
          b. Enter the Active Directory password for the account name used in Steps A-11 above.
          c. Leave the Domain blank. (This field is expecting a SEPM domain and not an Active Directory domain)

Do not use the built-in SEPM "admin" account when setting up Active Directory Authentication, as this could lock you out of SEPM with an "Authentication Failure" when changing the Active Directory account, or when upgrading Active Directory, or when changing the Active Directory mode, or when removing SEPM(s) as a replication partner.

SEPM Active Directory Authentication is only supported for Admin accounts that have been created in SEPM by clicking "Add Administrator."

NOTE: The SEPM user name is taken from SEPM database while the password is taken from Active Directory for the account you specified in Account Name.

Ashish-Sharma's picture

Hi Mohan.

Try this


Active Directory Integration

As an optional feature, the Symantec Endpoint Protection Manager can be integrated with the Active Directory. The Symantec Endpoint Protection Manager can import the organizational unit and the account data and synchronize that data with the Active Directory automatically. The administrator can then use the existing organizational unit as a unit to assign the group policy to, just as with a group.

An Organizational Unit is treated as a special type of group because the imported organizational unit and the accounts in that unit cannot be modified. However, the organizational unit along with its data can be deleted as a whole by the administrator. Groups cannot be created under the Organizational Unit. The parent of an Organizational Unit can be the Group or the Organizational Unit. The administrator can select accounts from an Organizational Unit and move them to a specified group, for example, the administrator can create a group for remote users, move all of the remote users from their current organizational unit to a newly created group and assign a group policy that is tailored for the remote users in that group.

Note: The same user may exist in both the group and the organizational unit. In this situation, the priority of the group is higher than that of the organizational unit. For example, assuming both a remote group and an engineering organizational unit contain the “james” user account, then, the “james” user account will use the group policy of the remote group.

Synchronization with Active Directory
Imported Organizational Units are read only. Data in the Organizational Unit cannot be changed manually. The sub Organizational Units cannot be deleted. However, the Organizational Unit root as a whole can be deleted from the system manually because this does not take place when synchronized. The administrator must decide which Organizational Units are imported and if any of the existing Organizational Units need to be deleted. Only the Organizational Unit's data is synchronized with Active Directory. The interval time of synchronization is set in the server panel. For example, if an Organizational Unit or user is deleted from the HQ Organizational Unit, then that unit will not be deleted during a synchronization. However, that user will be deleted from their imported Organizational Unit in the Symantec Endpoint Protection Manager after a while. The latency is dependent on the interval time of synchronization. Users in the group that were copied from the Organizational Unit will not be synchronized automatically. For example, a user "james" is in the Engineering Organizational Unit and is copied into the Remote Users group. If "james" is removed from the Active Directory server, then the user "james" in the imported Organizational Unit will also be deleted, but it will not be deleted from the Remote Users group automatically. In some instances, when the clients register before an Active Directory synchronization takes place, they will register to the temporary group. During the process of Active Directory synchronization, the clients will need to be moved to the correct group.

Adding Organizational Units into Symantec Endpoint Protection Manager

    • Before an Organizational Unit can be imported, a Directory Server in "Server Properties" must be added:
    • If there are child domains and nested child domains a Directory Server for each of those domains will need to be added as well.


    • Once the Directory Server(s) has been added, an Organizational Unit on any Group level can be imported:


    • Select the Organizational Unit of choice:
    • To select Organizational Units from a child domain use the "Domain" pull down menu to change to additional domains.


    • Once imported, the Organizational Unit will appear as a group:


Moving Users and Computers
The admin can select one or more users and/or computers from a group and move those selected users and computers to another group.
If the selected user or computer is in an Organizational Unit, the move means Copy. The selected user/computer will be moved to the destination group, and that user/computer criteria will be kept in the Organizational Unit.

Note: If the client is in Computer-based mode, moving the computer name of the client to another group will force the client to switch to the new group and get the new profile of that group.
If the agent is in User-based mode, moving the login user name of the client to another group will cause the client to switch to the new group and get the new profile.

Priority of Group and Organizational Unit
The Organizational Unit structure and all of the accounts in that Organizational Unit can be imported from and synchronized with Active Directory. An Organizational Unit will be placed in the group as an element of the group just as a computer or user account. An Organizational Unit can be considered as a special type of group. Group Policy Profiles can be applied to the Organizational Unit. The name of the Organizational Unit and the computer/user account within that unit cannot be modified. The computer/user account in the Organizational Unit can be copied into only one group. (Duplicating a computer/user account is not allowed in the groups). The computer/user account may exist in a group and in an Organizational Unit at the same time. Since the group has a higher priority than the Organizational Unit, the client will use the profile of the group instead of the Organizational Unit if the computer or login user of the agent exists in both the group and the Organizational Unit. 

Thanks In Advance

Ashish Sharma