Endpoint Protection

 View Only
  • 1.  Using registry value for location switching works in one group, but doesn't in another?

    Posted Oct 09, 2009 02:58 PM
    Good afternoon,

    I am hoping someone can point me in the right direction as to what is going wrong here. The scenario is as follows:

    We have setup 3 locations with SEPM servers. We are using a registry key condition that reads the domain membership (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain) to distribute clients between the three servers. We have just gone live with this yesterday after extensively testing it in the testers group.

    The thing is...it works perfectly in the testers group but does nothing on the main client group. The conditions were actually copied directly out of the testers group onto the live clients group, so I know there isn't any typos or anything like that. Further, when I put any client into the testers group, it switches sepm servers perfectly based on its domain membership.

    What could be overwriting this to make it fail in the main clients group? I have verified that the registry key above contains the domain name the computer belongs to on ALL versions of windows we run at the company, and tested it on at least 10 different machines, all of which switched servers perfectly in the testers group.

    Any help would be appreciated.


  • 2.  RE: Using registry value for location switching works in one group, but doesn't in another?

    Posted Oct 09, 2009 03:20 PM
    Is there a conflict between which location you have "set as a default location in case of conflict"

     You can only add switching conditions to group's policy provided a group does not inherit policies from a higher group. If necessary, uncheck Inherit policies and settings from parent group unless it is already unchecked. You cannot switch a rule unless the policy for the subgroup is no longer inherited from a higher group.


    Ref:http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040212410248
    Also check: 
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009062410243548



  • 3.  RE: Using registry value for location switching works in one group, but doesn't in another?

    Posted Oct 09, 2009 03:23 PM
    "Enable Location Awareness" was disabled on the main client group before my time, whereas it was enabled on the testers group.

    I have enabled it on the main clients group now and we should start seeing some action. Talk about an obvious answer! 

    /edit: Thank you for the reply Vikram! This was my dumb mistake not checking that the main group had location awareness enabled.