ADAM and EVE SEPM has many good points, however adding computers is a bind. There are a few solutions where direct access to the SEPM DB tables are used: this defines another approach. AD and Location It is easy to syncronise an AD into SEPM, then all the computers in a Microsoft Domain are then defined. It is then possible to give policies, either by “Location” mechanisms or picking some AD groups. Location is a fine solution, define some Locations in “My Company” and let all the under groups inherit. One can test for if the computer is a particular type of server, and make virus scanning exceptions where needed. Unfortunately, it doesn’t seem to be possible to see int the SEPM database which “Location” policy a given computer has. AD hs a problem as well, it is very unlikely that there will be the AD groups that one needs define correct exceptions and it is not advisable to alter ones AD to reflect any policy structure that one wants. SEPM has unfortunately no means of grouping computers by there membership of any AD group (memberOf or uniqueMember ). Also, it one has many Microsoft Domains, it get so be a pain keeping track of any new domains or importing them LDAP A sister to the AD synchronisation is LDAP synchronisation. In theory at least, unfortunately, if one does have a company LDAP with ones computers defined, Symantec for some reason adds some extra “invisible” filters that, in my case, result in no computers. ADAM Well, lets use ADAM. ADAM comes with one’s Windows 2008 server on which one can run ones SEPM on. It is LDAP, so in theory it should be possible to create a structure that is compatible with the LDAP synchronisation in SEPM. One could take the computers defined in ones company CMDB, place them in groups that are can have SEP policies assigned when they are synchronised with SEPM. SEPM <<--LDAP Sync-->>ADAM Instance<<--Program that collects from CMDB, AD or text files EVE In the next couple of weeks, I will try and create “EVE”, a program (in Powershell) that can populate an ADAM with the information I need. For success: - a basic ADAM that SEPM will use (the filters used in SEPM are now documented with a Wireshark trace). Unless a snake comes into paradise of course ... Forum @ https://www-secure.symantec.com/connect/forums/adam-ldap-sync-group-sepm Idea @ https://www-secure.symantec.com/connect/idea/ldap-filter-definition
Let us see if I can get help with putting the code(s) I have made @ http://sourceforge.net/projects/sepbabedoda/
Open Source and one can join the work
SymantecEve,ps1 is written and will soon be availabe @ downloads. The usage is below. Format for the csv at this time is: cn,DNPath,SEPMGroup "cn=computername","dc=my,dc=net","SomeGroup"
$ProgramName (Version: $Version) Function: to populate an ADAM instance from a CSVFile to be used as a LDAP sync source for Symantec SEPM. Parameters: -CSVFile The csv file to be imported -ADAMHost The dns/ip of the ADAM host, with optional port eg localhost:389 -TopDN The dn used eg dc=net Options: -UseEventLog Send program events to Windows Application Log (default: False) -Verbose More text output -WhatIf This "usage"