Endpoint Protection

Hi all,

What would be the advantages/disadvantages of moving the SEPM servers from a workgroup environment to a domain (AD)? I know about the possibility of using AD domain servers for authentication, however because the number of the SEP admins is very limited this is not so tempting.

My client is saying that using SEP Manager on a workgroup was recommended by a local Symantec vendor, unfortunately without other explanation.

Thank you.

Other Deployment issue ( where you have to know ever machines Local admin credentials ) both are same in regards to Endpoint Protection.

I don't think there would be any real advantage of MOVING to domain from a Work group...

Consider the  following, though:

1. You could import the  Active  directory structure in SEPM console, and integrate with Active  directory. This will make your  clients, and  groups in SEPM, to synchronize with the  structure in Active  directory.

2. If you lose communication with sepm, for some reason, like uninstallation and re-installation of SEPM, you could use  Sylinkdrop utility, in a Domain. This would not  be  useful in a Wok group.

If you want to deploy sep from SEPM Server you have to and have to  know the local admin credentials of all clients(in workgroup).. In domain the domain admin credentials would work fine..

Other than this no other changes would come to picture.

While Installing SEP /SEPM in the work group environment we need to keep a few things in mind

Best Practices for Central Deployment and Management of Symantec Endpoint Protection (SEP) in a Workgroup environment

http://www.symantec.com/business/support/index?page=content&id=TECH91679&locale=en_US

In my experience, I found AD intergration to be restrive. I wanted to create my own groups in the SEPM and move clients back and forth as needed. With AD intergration you have to follow your OU structure.

I would say, if you have a larger install base, AD intergration would be better. If you have a smaller install base creating groups in the SEPM and managing the clients that way might be better.

Also, with AD sync, you cannot just freely move PCs to another group. You need to create a new AD group then move the PC. This is a disadvantage if you want to do testing on the various components / policies

An advantage is it is much easier for management. As PCs are joined to the domain, they *should* automatically move to the correct group. I say should because this is not always the case for me. Some PCs would not move no matter what even though they were in the correct AD group.

I'm actually going to break the sync later this month as I want full control to do testing of certain policies with only a small user base and not have to worry about creating more AD groups.