Endpoint Protection

Hey everyone,

I am currently working on a rollout of new workstations. We are replacing Windows XP machines with Windows 7 (talk about being late to the party). Originally my SEPM is setup with Active Directory Integration so when computers get placed into an OU and have SEP installed, they are then located in the same folder/group in the SEPM. For certain reasons, we now want to place Windows 7 machines in a seperate group so that they receive a different policy from the XP machines. In order to do that we have to make our AD structure more complex, which we don't really want to do right now. I want to break the AD setup in the SEPM so I can manually manage workstations but I want to make sure I do it in a safe manner.

Am I safe to somply delete the AD enabled group in the SEPM console? Will this delete objects (individual computers) from the SEPM? What will happen to the computers when I delete the AD group? My guess is that they will all move into the "Default Group" folder.

Thanks in advance!

Yes, they will all go to the default group when you delete the group and from there you can move manually.

Personally, I do not like AD sync, it has caused way too many issues for me.

To Delete the AD Sync, here are the steps:

* In the SEPM under Servers
* Right click on the server name and select Edit Properties
* Click on Directory Servers
* Select each server listed and click Delete
* Uncheck Synchronize with Directory Servers
* Click OK
* Wait for the database maintenance task to complete (happens at midnight)
* After a few minutes, go back to the Clients section
* Right click on the top OU and select Delete

The clients should end up in the Default group once they check in again.

http://www.symantec.com/connect/forums/move-back-sepm-groups-ad-structure

Hello,

Once you delete the AD sync from SEPM, all the clients would report to the SEPM's default group in the next Heart Beat Interval.

To Delete the AD Sync, here are the steps:

* In the SEPM under Servers
* Right click on the server name and select Edit Properties
* Click on Directory Servers
* Select each server listed and click Delete
* Uncheck Synchronize with Directory Servers
* Click OK
* Wait for the database maintenance task to complete (happens at midnight)
* After a few minutes, go back to the Clients section
* Right click on the top OU and select Delete

The clients should end up in the Default group once they check in again.

Hope that helps!!

I like it from the standpoint that our workstation build group simply has to associate the computer with the right OU and the proper SEP policy gets deployed to the computer. We have different functional groups and some get access to USB while others don't, etc, etc. It keeps the engineers responsible for SEP from having to micromanage each newly deployed SEP install. 

Conversely, I don't like it from the standpoint where once a computer is associated with an OU the only way you can update the policy is by moving it in Active Directory to either A) a different OU or B) an OU that's not managed. It makes troubleshooting kinda difficult.

I definitely get your feels on it B-ry. 

Heck, half the time the PCs would still go into the wrong group...although I haven't used it in some time so it may be improved.

The other issue is I would always find myself breaking sync on certain groups to move out a few PCs for testing purposes. I could've added the groups in AD but our AD admins didn't care for that.