Video Screencast Help

SEP clients changing modes and client groups on their own

Created: 06 Jul 2009 • Updated: 21 May 2010 | 18 comments

We have 4 SEPM's worldwide and are noticing that upon upgrading our SAV 10.1.7.7000 clients to SEP MR4 MP1a about 30% will appear in the wrong client group withing the SEPM and they will also be in USER mode.  We have our client packages setup to be in COMPUTER mode by default so we have no idea why some are appearing as USER mode.  We have not done any imports with our Active Directory environment.

Has any one else noticed something similar?  So far Symantec support does not have an answer for this yet.

Comments 18 CommentsJump to latest comment

Grant_Hall's picture

 Are they being registered as the name of "administrator" in the user mode?

Grant-


Please don't forget to mark your thread solved with whatever answer helped you : )

Randall Molex's picture

<?xml version="1.0" encoding="UTF-8" ?>
- <ServerSettings DomainId="C5FFFC0E0A2D023C00EEC589BD2E59B5" NameSpace="rpc">
- <CommConf>
<AgentCommunicationSetting AlwaysConnect="1" CommunicationMode="PULL" DisableDownloadProfile="0" Kcs="9E789A6BC7FBF8B1C6901E658A638557" PullHeartbeatSeconds="300" RandomizationEnabled="1" RandomizationRange="300" UploadCmdStateHeartbeatSeconds="300" UploadLearnedApp="0" UploadLogHeartbeatSeconds="300" UploadOpStateHeartbeatSeconds="300" />
- <ServerList Name="Default Management Server List for Site AME">
- <ServerPriorityBlock Name="Priority1">
<Server Address="10.45.2.60" HttpPort="8014" HttpsVerifyCA="0" VerifySignatures="1" />
<Server Address="amevmsepm01" HttpPort="8014" HttpsVerifyCA="0" VerifySignatures="1" />
</ServerPriorityBlock>
</ServerList>
- <ServerCertList>
<Certificate Name="amevmsepm01">MIICQDCCAakCBEkKAQowDQYJKoZIhvcNAQEFBQAwZzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB MRAwDgYDVQQHEwdGcmVtb250MRUwEwYDVQQKEwxzeW1hbnRlYy5jb20xDDAKBgNVBAsTA3NjbTEU MBIGA1UEAxMLYW1ldm1zZXBtMDEwHhcNMDgxMDMwMTg0NjM0WhcNMTgxMDI4MTg0NjM0WjBnMQsw CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEDAOBgNVBAcTB0ZyZW1vbnQxFTATBgNVBAoTDHN5bWFu dGVjLmNvbTEMMAoGA1UECxMDc2NtMRQwEgYDVQQDEwthbWV2bXNlcG0wMTCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEAgbtJRdnwWoI4qG38yfcAo0GLJAUZBP5lTehXCJKjkNThUNqeHu75pCHV 1cPT66XGVxwb28Hqb2XIt/c3baWlC1Sszv11iACvaYm6wbVwou+bjTMNKCiHfJZK3i7pr6gFUbhm bPDfA4ttCe/kLKdCtMEhZ1J/8WU55nsZyFNi6TsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQANEWha nfjZVqs+z1k13cWdC5azaFS/IBRyiyH+raTXxU7TP+JHN4FGD+JUZf73cifVbA2v3GtbXVELINkc wqZsvD8GG+zSP6wlMnYyRTx8J9pJI6S7DQb5Hxqs0HerlZAhBkEzS4E4RJjfZw+z9Jt8ngyXgzlk nWgb53qO5vZI5g==</Certificate>
<Certificate Name="eurmf01">MIICODCCAaECBElCLi8wDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB MRAwDgYDVQQHEwdGcmVtb250MRUwEwYDVQQKEwxzeW1hbnRlYy5jb20xDDAKBgNVBAsTA3NjbTEQ MA4GA1UEAxMHZXVybWYwMTAeFw0wODEyMTIwOTI2MDdaFw0xODEyMTAwOTI2MDdaMGMxCzAJBgNV BAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHRnJlbW9udDEVMBMGA1UEChMMc3ltYW50ZWMu Y29tMQwwCgYDVQQLEwNzY20xEDAOBgNVBAMTB2V1cm1mMDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAItXzPCM5uxiAuhmND+75hNCa7C011Mx8zhtU7ISGNmSj3j+rj72SuO5pH9IJZZQ4sK4 9kiACKE0YYF7be53bk5zaMa8b3w1NDsnv1XAtg4VRhMvepq1Ufbd2UJ5LtujVvL4kf7KJtD5VAcw tUqH+/pnZjklzWhlQB19Lylrjr9xAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAYWEUJFrkj8VwdsB/ HBLpR8cYbHiCaOTrAzMH3jRlWFtTJSTwumFQ6qLYwUWgd0BQoJ/YV3Fq4tvXBQnh3iivFdCKR8I0 Ly1bWs7bn5zoOthpmPmgYutZ/4bq9SJPvgyHLGTrZsPRcpoRzIx41SAlWPG24NHRf3SWDZN0lsFu lKk=</Certificate>
<Certificate Name="JYASEP01">MIICOjCCAaMCBElIbyowDQYJKoZIhvcNAQEFBQAwZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB MRAwDgYDVQQHEwdGcmVtb250MRUwEwYDVQQKEwxzeW1hbnRlYy5jb20xDDAKBgNVBAsTA3NjbTER MA8GA1UEAxMISllBU0VQMDEwHhcNMDgxMjE3MDMxNjU4WhcNMTgxMjE1MDMxNjU4WjBkMQswCQYD VQQGEwJVUzELMAkGA1UECBMCQ0ExEDAOBgNVBAcTB0ZyZW1vbnQxFTATBgNVBAoTDHN5bWFudGVj LmNvbTEMMAoGA1UECxMDc2NtMREwDwYDVQQDEwhKWUFTRVAwMTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEAwUsAouJYEhdUhfn7HxnFwHgy94Wd10mggpwH/9hko9qDyx1fjsA59okJckkP0XPX U8p/L4UmjWqfGsBAEYn6G5LwXPVwcBByypkxOYh4SA5wIdBkYSSJM6OakTisWMaz9gHs0VoMwNLP 1HQoxKtpt++/X3XUhiuMIvJYUxKd41UCAwEAATANBgkqhkiG9w0BAQUFAAOBgQA0muBVchQF3cw6 3ks0+LufTCmWFZ2OYkUCEhKHI1/nXFwrgm+8xG8KnhJKq03qcAGyXzFhlOvH4MPZg8H+pX7M1p7Q /LrMGDYAkspQWBuV03bNtXSSI53Z4IMYFWIqc8gsmaMle/sl10m6RKgCb71RcW+o0MbephieGuRA /qdzSg==</Certificate>
<Certificate Name="FESSEPM01">MIICPDCCAaUCBEnMf4owDQYJKoZIhvcNAQEFBQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB MRAwDgYDVQQHEwdGcmVtb250MRUwEwYDVQQKEwxzeW1hbnRlYy5jb20xDDAKBgNVBAsTA3NjbTES MBAGA1UEAxMJRkVTU0VQTTAxMB4XDTA5MDMyNzA3MjYwMloXDTE5MDMyNTA3MjYwMlowZTELMAkG A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdGcmVtb250MRUwEwYDVQQKEwxzeW1hbnRl Yy5jb20xDDAKBgNVBAsTA3NjbTESMBAGA1UEAxMJRkVTU0VQTTAxMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCfSn1np9d0W1osOywQI3t6CHBItuxBmNbeXtU8sUNJFmxFvabJA3kRAWMmmm8H N0ygIRV6oxeFbLfdqG8Lpigso9k+u8qbEKEoEwoH8Dz0dGASPfukgm3q5CMS55LoUYgg9Y4JmIwL nmi6ovpCRfDw8OTiyONZsFFFb9lOhffZXQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEYJiS7oJjfz FyRASg1xzedn861WrwDk68ebBeJMXiBN/c1MD6DiBeHGobp6HNMG8/5i7YoR8SwknpkdrKg/l1yj ZVOStn1ubq+cyymwQUIPs+P5o4v6nVKCHX0LFSH3fhuX/UGzxZAFepdQ9HIIgzbzhZdOYKHltn2D xQm+8eCF</Certificate>
</ServerCertList>
<LogSetting MaxLogRecords="100" SendingLogAllowed="1" UploadProcessLog="1" UploadRawLog="1" UploadSecurityLog="1" UploadSystemLog="1" UploadTrafficLog="1" />
<RegisterClient PreferredGroup="My Company\AME" PreferredMode="1" />
</CommConf>
</ServerSettings>

Randall Molex's picture

They are being registered as the currently logged on user.  I saw a machine yesterday that was in user mode and it had the name of one of our users.  I then RDP'd into that machine and logged in as myselft and the name changed to mine in the console.

Randy

Sandeep Cheema's picture

Two things:

1)  Can you post the setaid.ini from the package that you are using to deploy?

2) When you export the package, Does it have the PreferredGroup tag within the sylink.xml. This tells the client which group to join when it first contacts the SEPM. On the client side this tag will taken out when the client connects to the SEPM as it's no longer needed.

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

Randall Molex's picture

1)

; NOTE: Do not edit the config below
[PREDEFINED_SMC_CONFIG]
AppType=105
VendorID=4096
PlatformType=WIN32BIT

; User configureable options
PackageChecksum=12a723c95d2d25233a8a273275a3a195
[CUSTOM_SMC_CONFIG]
InstallNewInstanceOnly=0
InstallUserInterfaceLevel=u
KeepPreviousSetting=0
InstallationLogDir=%TEMP%\SEP_INST.LOG
DestinationDirectory=C:\Program Files\Symantec\
LaunchIt=1
AddProgramIntoStartMenu=1
UIRebootMode=3

[LU_CONFIG]
ServerProduct=SESM AntiVirus Client Win32
ServerLanguage=English
ServerVersion=11.0.4014
SequenceNumber=0
ServerMoniker={6FC87801-0A02-87E0-019C-D75A0A3BBC5F}
ClientProduct=SESC AntiVirus Client Win32
ClientLanguage=English
ClientVersion=11.0.4014
ClientMoniker={3572AC3E-0A02-87E0-019C-D75A48D9DC60}
SequenceTag=PATCH
ShortName=sesmAvClient32en_MR4
DisplayName=Symantec Endpoint Protection Win32 11.0.4014.26 (English)
CONNECT_LU_SERVER=0

[FEATURE_SELECTION]
SAVMain=1
EMailTools=1
OutlookSnapin=1
NotesSnapin=1
Pop3Smtp=1
ITPMain=1
Firewall=1
PTPMain=1
COHMain=1
DCMain=1

2)

Yes, I have a copy of our sylink posted and you'll see towards the bottom there is this line:

<RegisterClient PreferredGroup="My Company\AME" PreferredMode="1" />

This had been working fine when we first started our upgrades, but now it seems within the past month or so 1 out of 3 clients will appear in the SEPM in the wrong client group and in USER mode.

Sandeep Cheema's picture

Do they appear in the User mode when the install is run locally and not pushed?

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

Randall Molex's picture

I don't believe any have shown up in USER mode when installed locally, but we haven't done many installations locally.  We have ~10,000 clients and are using SMS to deploy the package.

Sandeep Cheema's picture

Odd...There has to be some difference. Can you upload the install log from both the machines, which gets installed as the user mode and the computer mode?

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

BernardW's picture

Did anyone find a solution to this issue? I have the same problem with one client. The rest have worked fine and I am trying to figure out how to fix this.

Randall Molex's picture

Symantec support provided us with a batch file to automatically changes all user mode entries to computer mode in the SEPM.  They also said by running this batch file this issue would not happen again in the future. They also said that MR4 MP2 fixes this issue, but we could not upgrade to MP2 at that particular time.

Ramji Iyyer's picture

We have also faced this issue when we have upgraded to MR2.MP2 but continued till MR4. After upgrading to to MR4.MP2 this resolved.

As you have mentioned that u have 4 SEPM servers. Kindly do the following.

Upgrade the server to MR4.MP2.

Delete the replication & remote sites from all the servers

Stop the SEPM services on all the servers

Run the batch file to change to computer mode. on all the servers simultaneously.

Run the batch file fix duplicate clients. on all the servers simultaneously.

Start the SEPM Services on all the servers.

Add replication partners of all the servers fron Parent server.

Do the replication of all the servers one by one.

Note:- This is a BUG of SYMANTEC.  I knew that the symantec employess who contaced me for solution are very much known to this issue.
             

Regards...
Ramji Iyyer

Regards...
Ramji Iyyer

Sandeep Cheema's picture

Okay cool.....What's this batch file stuff though....?...Did the support provide it to you too.....?

If it's a batch file, you can post it anywhere without violating anything. If you could please post it over here too, If it's just one. Don't bother if they have SFX packed it.....

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

Ramji Iyyer's picture

Where can i dump the batch file for u all

Regards...
Ramji Iyyer

Regards...
Ramji Iyyer

RickJDS's picture

Edit the batch file and copy/paste the code in your post.

Peterpan's picture

Yes please post the batch file so I could fix the same problem as yours.

:-)

Ramji Iyyer's picture

Dear all I will upload in Idea section as it also contains jar file.

Regards...
Ramji Iyyer

Regards...
Ramji Iyyer

Ramji Iyyer's picture

Batch file uploded. Let me know you feedback.

Regards...
Ramji Iyyer

Regards...
Ramji Iyyer