In general, changes made to a computer in AD should not create duplicate records in our repository. So if you remove a client from the AD, then it should remove it from the Manger too.
If you move a different group in the AD, it will not remove it from the OU in SEE Manager.
The endpoint client is uniquely identified in the database. Computers table by its GEGuid, a GUID generated by the Framework client during its installation.
(The Computers table contains all the endpoints under management. The ADComputers and NovellComputers tables can contain imported computer objects
that do not have the Framework installed and have not reported a GEGuid, and are therefore not reflected in the Computers table.)
There is always only one record in the Computers table for an endpoint, unless the Framework client was un-installed and re-installed (not updated).
Changing the membership of an endpoint in AD and/or Novell results in modification to the relevant fields in the computer?s record, and records are deleted or inserted in the AD and/or Novell tables as necessary.
Check if there is any error in the communication log.
1. Log in to the registry and look for "tracedisabled" on the following registry path.
HKEY_LOCAL_MACHINE\SOFTWARE\GuardianEdge\Trace\TraceSinks\DBSink\GuardianEdge.ADSync &
HKEY_LOCAL_MACHINE\SOFTWARE\GuardianEdge\Trace\TraceSinks\FileSink\GuardianEdge.ADSync
2. Modify the string value for "tracedisabled" to 0 for both
3. Restart the AD Sync services.
4. The AD Sync log will get generate under "C:\Program Files\GuardianEdge\Management Server\Services\Logs" with the name "GuardianEdge.ADSync.0001.txt"