Endpoint Protection

I'm looking to manage just over a 100 servers in 6 different locations, all using GUP's per site pulling down from the SEPM server at stie no.1

The way my AD Server ou's have been setup are not site orientated which means using the location awareness functionalitly in SEPM rather than just creating independant site based groups, which to me seems to be a simple option.  Ofcourse this is just one policy area.

Also some Feedback from some older threads seems to imply that Active Directory imported into SEPM can bring it's own problems (slow response consoles, freezes on console, synchronisation failures, part synchronisation inconsistencies).

I can also see the potential longterm merits of using AD OU's in conjunction with Location Awarness as it will reduce/simplify policies.

Now I know this maybe a 'how long is a piece of string question', dependant on your experiences / infrastructure / requirements, but can you give me your opinions on what is your preference and why and any major factors that you would use to define you decision.

Thanks for any advice guys.

Hi,

you should create the simpliest groups tree for your needs. A group should be created if you have to apply different security settings (regarding SEP) for the machines belong this group. If you can create a groups tree simpler than your AD tree, do it. Basically you should take advantage of the flexibility of SEPM to reduce its maintenance.

I am not aware of serious issues regarding the synchronization between AD and SEPM, of course managing 1,000 imported OU's is harder than managing 100 "independant" groups.
Actually it seems that a lot of customers prefers the creation of independant groups for their flexibility (you can move clients, etc.).

Regards,