Solution:
Active Directory Integration
Overview
As an optional feature, the Symantec Endpoint Protection Manager can be integrated with the Active Directory. The Symantec Endpoint Protection Manager can import the organizational unit and the account data and synchronize that data with the Active Directory automatically. The administrator can then use the existing organizational unit as a unit to assign the group policy to, just as with a group.
An Organizational Unit is treated as a special type of group because the imported organizational unit and the accounts in that unit cannot be modified. However, the organizational unit along with its data can be deleted as a whole by the administrator. Groups cannot be created under the Organizational Unit. The parent of an Organizational Unit can be the Group or the Organizational Unit. The administrator can select accounts from an Organizational Unit and move them to a specified group, for example, the administrator can create a group for remote users, move all of the remote users from their current organizational unit to a newly created group and assign a group policy that is tailored for the remote users in that group.
Note: The same user may exist in both the group and the organizational unit. In this situation, the priority of the group is higher than that of the organizational unit. For example, assuming both a remote group and an engineering organizational unit contain the “james” user account, then, the “james” user account will use the group policy of the remote group.
Synchronization with Active Directory
Imported Organizational Units are read only. Data in the Organizational Unit cannot be changed manually. The sub Organizational Units cannot be deleted. However, the Organizational Unit root as a whole can be deleted from the system manually because this does not take place when synchronized. The administrator must decide which Organizational Units are imported and if any of the existing Organizational Units need to be deleted. Only the Organizational Unit's data is synchronized with Active Directory. The interval time of synchronization is set in the server panel. For example, if an Organizational Unit or user is deleted from the HQ Organizational Unit, then that unit will not be deleted during a synchronization. However, that user will be deleted from their imported Organizational Unit in the Symantec Endpoint Protection Manager after a while. The latency is dependant on the interval time of synchronization. Users in the group that were copied from the Organizational Unit will not be synchronized automatically. For example, a user "james" is in the Engineering Organizational Unit and is copied into the Remote Users group. If "james" is removed from the Active Directory server, then the user "james" in the imported Organizational Unit will also be deleted, but it will not be deleted from the Remote Users group automatically. In some instances, when the clients register before an Active Directory synchronization takes place, they will register to the temporary group. During the process of Active Directory synchronization, the clients will need to be moved to the correct group.
Adding Organizational Units into Symantec Endpoint Protection Manager
Before an Organizational Unit can be imported, a Directory Server in "Server Properties" must be added:
If there are child domains and nested child domains a Directory Server for each of those domains will need to be added as well.
Solution:
Active Directory Integration
Overview
As an optional feature, the Symantec Endpoint Protection Manager can be integrated with the Active Directory. The Symantec Endpoint Protection Manager can import the organizational unit and the account data and synchronize that data with the Active Directory automatically. The administrator can then use the existing organizational unit as a unit to assign the group policy to, just as with a group.
An Organizational Unit is treated as a special type of group because the imported organizational unit and the accounts in that unit cannot be modified. However, the organizational unit along with its data can be deleted as a whole by the administrator. Groups cannot be created under the Organizational Unit. The parent of an Organizational Unit can be the Group or the Organizational Unit. The administrator can select accounts from an Organizational Unit and move them to a specified group, for example, the administrator can create a group for remote users, move all of the remote users from their current organizational unit to a newly created group and assign a group policy that is tailored for the remote users in that group.
Note: The same user may exist in both the group and the organizational unit. In this situation, the priority of the group is higher than that of the organizational unit. For example, assuming both a remote group and an engineering organizational unit contain the “james” user account, then, the “james” user account will use the group policy of the remote group.
Synchronization with Active Directory
Imported Organizational Units are read only. Data in the Organizational Unit cannot be changed manually. The sub Organizational Units cannot be deleted. However, the Organizational Unit root as a whole can be deleted from the system manually because this does not take place when synchronized. The administrator must decide which Organizational Units are imported and if any of the existing Organizational Units need to be deleted. Only the Organizational Unit's data is synchronized with Active Directory. The interval time of synchronization is set in the server panel. For example, if an Organizational Unit or user is deleted from the HQ Organizational Unit, then that unit will not be deleted during a synchronization. However, that user will be deleted from their imported Organizational Unit in the Symantec Endpoint Protection Manager after a while. The latency is dependant on the interval time of synchronization. Users in the group that were copied from the Organizational Unit will not be synchronized automatically. For example, a user "james" is in the Engineering Organizational Unit and is copied into the Remote Users group. If "james" is removed from the Active Directory server, then the user "james" in the imported Organizational Unit will also be deleted, but it will not be deleted from the Remote Users group automatically. In some instances, when the clients register before an Active Directory synchronization takes place, they will register to the temporary group. During the process of Active Directory synchronization, the clients will need to be moved to the correct group.
Adding Organizational Units into Symantec Endpoint Protection Manager
Before an Organizational Unit can be imported, a Directory Server in "Server Properties" must be added:
If there are child domains and nested child domains a Directory Server for each of those domains will need to be added as well.