Endpoint Protection

 View Only

  • 1.  Deployment of SEP client to machines does not put them in the correct group

    Posted Dec 02, 2009 02:27 PM
    Hi There

    I have a similar problem to the other posts where i export an install package with policies for a selected group and want them added to the selected group.

    No matter what options i try they will not show up in the selected group, but will show up in the default group.
    If i disable new clients from being added to the default group they will not show up anywhere and i see an error message in the console saying that the selected computer cannot be added to the default group. I am running 11.0.5002.333 on everything.

    I have imported my client policies and folder structure from SAV using the import wizard, so is it possible that the computer accounts are already in the group but not visible?
    Is there a way to show and delete the hidden computer accounts as we do not want to deploy the SEP client using the SEP console.
    We will be using an Altiris job to deploy the SEP client but i am testing with some pilot users at the moment to get the exported packages correct.


  • 2.  RE: Deployment of SEP client to machines does not put them in the correct group

    Posted Dec 02, 2009 02:48 PM
    have you checked this document

    Clients move from assigned group to Default Group within the Symantec Endpoint Protection Manager

    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/5a0992e52987d237882575a600685eda?OpenDocument


  • 3.  RE: Deployment of SEP client to machines does not put them in the correct group

    Posted Dec 02, 2009 02:57 PM
    I should have mentioned that we are doing an in-place upgrade on several thousand machines from SAV10.x to SEP 11 RU5 so manually moving them is not an option.

    Even manually deploying an exported package with the group specified to a pilot machine with no SAV client on it causes it to be moved to the default group. Checking the Sylink.xml shows that the group is specified correctly.

    This issues happens on machines that show a successful install and also show reboot needed = yes or reboot needed = no

    Any other idea's?

    EDIT

    The machines are a corporate image so hardware and software does not change often.



  • 4.  RE: Deployment of SEP client to machines does not put them in the correct group

    Posted Dec 02, 2009 03:03 PM
    it worked on few cases
    on the default group
    right clic\k and select properties
    check the box block new clients
    let me know if  the clients still fall in default group

    Half the Clients appear in correct group after push deployment half appear in default group

    https://www-secure.symantec.com/connect/forums/half-clients-appear-correct-group-after-push-deployment-half-appear-default-group


  • 5.  RE: Deployment of SEP client to machines does not put them in the correct group

    Posted Dec 02, 2009 03:12 PM
    As i said in my first post

    If i disable new clients from being added to the default group they will not show up anywhere and i see an error message in the console saying that the selected computer cannot be added to the default group.


  • 6.  RE: Deployment of SEP client to machines does not put them in the correct group

    Posted Dec 02, 2009 03:48 PM
    Discovery,

    Have you renamed any of the groups after importing and creating the deployment package?

    I have had an issue where I renamed one of my groups (changed 1 letter in the name from upper to lower case).  Existing clients remained but new clients all ended up in the default group. After changing the name back to the way it was before creating the package they end up in the appropriate group.

    Maybe you could try creating a new "test" group to see if its an issue with the ones you imported from SAV.

    Another thing  to check  on the client is Help and Support/Troubleshooting - confirm that group and other information is correct. I know you stated that they are in syslink file, but I have had cases where they did not match up.

    Hope that helps.


  • 7.  RE: Deployment of SEP client to machines does not put them in the correct group

    Posted Dec 02, 2009 04:25 PM
    Hi Robert

    No Group names were changed but i will try your suggestion on a new group that i create.
    I can see why no new clients would have managed to be added to the renamed group if you did not export the installation package again.

    Doing a migration report i see numerous computer accounts in the "pending migration" status, so maybe it would be better to somehow remove them from the database.



  • 8.  RE: Deployment of SEP client to machines does not put them in the correct group
    Best Answer

    Posted Dec 02, 2009 06:40 PM
    Sooooo......

    Creating a new group and then applying imported policies to the group allows the installation package to add the computer to the correct group.

    Creating a new group and then copying policies from the imported SAV group does not allow the package to add the computer to the correct group.

    It looks as though there is something in the imported SAV groups that causes group membership to fail when deploying packages.

    Thanks to Robert for the suggestion.