Video Screencast Help

Move back to SEPM Groups from AD structure

Created: 08 May 2012 • Updated: 10 May 2012 | 11 comments
This issue has been solved. See solution.

Hey guys,

Im running SEPM 12.1 server and orginially we were using SEPM groups that we manually created to handle our policys. We recently moved over to our AD structure to handle them and its not working out for the best and we would like to move back to using our manual groups (which have been deleted). Is there an easy way to remove the AD structure and have the clients fill back into the defualt group and i can move them into new groups i create? Thanks for any input. 

 

-Rich

Comments 11 CommentsJump to latest comment

pete_4u2002's picture

yes, break the schedule sync with AD. delete the AD groups manually. The clients will report to default group, from there on you can move clients to newly created groups using script or manual process.

Mithun Sanghavi's picture

Hello,

Once you delete the AD sync from SEPM, all the clients would report to the SEPM's default group in the next Heart Beat Interval.

Once you have them, you can later create new groups and new move the clients to the respective groups manually.

If incase, that doe not occur, you may require the assistance of SylinkReplacer version 12.1 Tool for replacing the sylink.xml file and reprting them to the SEPM machine.

SylinkReplacer version 12.1 Tool is available with the Symantec Technical Support Team. I would suggest you to create a case for the same.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

You can opt following options after deleting AD synch.

Clients will reappear in the default group as they check in, unless you enable automatic creation of client groups by editing "scm.agent.groupcreation=true" to the conf.properties file

Add "scm.agent.groupcreation=true" line at the bottom of conf.properties

Conf.properties file will be available under C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc

In this way group should automatically created under My company & clients should connect to their respected group.

let me know if it worked.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

VonRickster's picture

How do i edit that file, do i have to manually point that file to a program like notepad?

pete_4u2002's picture

yes, open in notepad. Once adding the line, restart the SEPM service.

Simpson Homer's picture

Yes, you would have to manully edit the file as per the location adn just add the work TRUE

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc

 

editing "scm.agent.groupcreation=true" to the conf.properties file

VonRickster's picture

Let me just double check before i go through with this. If those groups that i had originally were deleted after i started using our AD import structure and then I delete the AD structure, when the clients that showed in the AD structure check back in they will recreate and be added to the group they were part of at the start before AD syncing?

Chetan Savade's picture

Yes,Clients should recreate and be added to the group they were part of at the start before AD syncing.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Simpson Homer's picture

 

Title
What happens to clients when you stop Active Directory Synchronization in Endpoint Protection Manager?
Problem

The Active Directory Organization Units that contain the clients and users will remain in the Endpoint Protection Manager until removed manually.

 

Solution
  • If you do not want those groups to be included in the SEP Manager please remove them manually and run the Management Server Configuration Wizard to reconfigure the SEP Manager.
  • Those existing clients will check in again and be added to the temporary group.

 

VonRickster's picture

Why would i need to run the configuration wizard again?

Mithun Sanghavi's picture

Hello,

Once you delete the AD sync from SEPM, all the clients would report to the SEPM's default group in the next Heart Beat Interval.

To Delete the AD Sync, here are the steps:

* In the SEPM under Servers
* Right click on the server name and select Edit Properties
Click on Directory Servers
Select each server listed and click Delete
Uncheck Synchronize with Directory Servers
Click OK
Wait for the database maintenance task to complete (happens at midnight)
After a few minutes, go back to the Clients section
Right click on the top OU and select Delete

The clients should end up in the Default group once they check in again.

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION