Better Active Directory computer accounts synchronization
The Active Directory synchronization feature of SEPM is very import to us. It was one of the main reasons why we choose Symantec as our security solution.
We have decided to import the OUs where the computer accounts are located. But ever since its implementation we have been facing problems with it. Every time a computer is renamed, or something goes wrong on a machine and it needs to be re-joined to the domain, the old computer account still remains on SEPM, on the same OU. After some years and 4 migrations (MR1 -> MR2 -> MR3 -> MR4), you can imagine how messed up the computer accounts are on the server.
After reading the forums and some articles, I found that computer accounts are identified by unique IDs, and that the older ones are never removed from the server. If a machine is renamed, two IDs for the same computer are set on SEPM database, and sometimes the older machine name appears as online, while in fact it doesn't exist on the AD anymore. The reports get messed up to due to this situation. This uncontrolled situation has made the Quality department warn us several times.
So, I'd like Symantec to work more on Active Directory synchronization, to make it better. I'd like that SEPM shows the "real situation" of my environment.
I read on the Release Notes of MR4 MP2 that there's a new tool to remove those duplicated computer accounts, but it seems to only work with those ones that appear on the Default Group. My problem is not there, but is inside the OUs.
Thanks in advance,
Eduardo Nazato
AD clients are not deleted from reports
We have a client that was physically damaged so that we cannot uninstall the SEP and it still appears on the reports even though we have deleted it from the actual AD.
We see the occasional
We see the occasional database issue where we have one active client that ends up in the root My Company or Default group and a duplicate of the same client in a synchronized AD group that appears not to have a client. No idea why that happens but it would be nice to have a tool that would enable the merging or association of those two clients so that I didn't have to go in and fiddle with the SQL table.
We have found some
We have found some undesirable behaviour in the SEPM console when re-imaging a workstation and then re-installing the SEP client. In brief, once the client is installed we get a duplicate entry in the SEPM console (one appears in the Default Group and the other in the AD synced OU). In addition to the duplication, the client will appear in the console as unmanaged.
The response from the support rep is that this is expected behaviour and that we should try uninstalling the SEP client before re-imaging the machine. You can appreciate that in a corporate environment it is not practical to have to implement this additional step and is not even possible in some circumstances.
I can see what Symantec are
I can see what Symantec are doing here, they are applying a Microsoft best practice to SEPM however as with a lot of Microsoft best practices... the real world is very different. All companies are now constrained by costs (especially in the current economic climate). If Symantec and Microsoft adopt a best practice which adds to the over all resource effort in doing something then they are contributing to costs - not removing them which is bad! Symantec need to see sense and listen to the people on the ground dealing with this stuff on a daily basis...!
Would you like to reply?
Login or Register to post your comment.