Endpoint Protection

Hi,

We are planning to integrate our SEPM with the AD. But I am not sure about its impacts on the existing environment.

Recently two month back we migrated the SEPM from v11.0.6300 to v12.1.4. And we have around 1200+ clients SEP.

We have around 20-30 groups (including the sub-groups) and the policies for each group is different from other. So can some one please enlighten me about the full impact of this migration on groups, policies, clients and the client-server communication.

 

Thnaks in Advance.

Impact is you can't move clients around if they're synched with AD groups. Everything needs to be done in AD first.

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

You can import and synchronize information about user accounts and computer accounts from an Active Directory server or an LDAP directory server. You can import group structures, or Organizational Units (OUs). Symantec Endpoint Protection can then automatically synchronize the groups on the Clients tab with those on the directory server.

You cannot use the Clients tab to manage these groups after you import them. You cannot add, delete, or move groups within an imported OU.

You can assign security policies to the imported OU. You can also copy users from an imported organizational unit to other groups that are listed in the View Clients pane. The policy that was assigned to a group before the group was imported has priority. A user account can exist in both the OU and in an outside group. The policy that was applied to the outside group has priority.

WARNING: 
Do not use the built-in SEPM "admin" account when setting up Active Directory Authentication, doing so can prevent logon access to SEPM with "Authentication Failure" error. Lockout issues can occur when changing the Active Directory account, upgrading Active Directory, changing Active Directory mode, and when removing SEPM(s) as a replication partner.

SEPM Active Directory Authentication is only supported for Admin accounts that have been created in SEPM by clicking "Add Administrator."

NOTE: The SEPM user name is taken from SEPM database while the password is taken from Active Directory for the account you specified in Account Name.

Refer the following links:

How to setup a SEPM administrator account to use your Active Directory authentication

http://www.symantec.com/business/support/index?page=content&id=TECH104726

How to configure Symantec Endpoint Protection Manager to synchronize user data with a directory server

http://www.symantec.com/docs/TECH96201 

No my first concern is what will happen to all my groups and its policies. Will the existing groups deleted and it will replicate the AD structure?

Yes if you import whole structure.

Hi,

Q. No my first concern is what will happen to all my groups and its policies. Will the existing groups deleted and it will replicate the AD structure?

--> No. It's upto you what you wish to synch with AD.  

If you wish to synch only 5 OU's out of 100 then those 5 OU's only get listed into the SEPM. You will have to set the policies again.

Also, you can decide at the time of AD Synch where those 5 OU's should be listed like Under My company or any other group.

Personally, By looking at existing setup I won't recommend AD synch unless it's really must.

 

Ok i got some idea, but cant i keep the same existing groups with same policies and only sync the users and no OU's sync. Is it possible?

Not possible.

Thanks chethan for the details. I will have to discuss with my manager regarding the impacts. If he agrees for the change will log a case with symantec for further support.

Thanks for the update. 

You can close this thread by selecting 'Mark as a solution' with the answer that best helps you.