Endpoint Protection

Unfortunately, support's best recommendation for my recent issues were to remove and reinstall SEPM, without restoring a DB backup.  Again.  (2nd time since 12.1 RU1 was released in late november.)  So while I'm working on rebuilding policies and the group structure for clients, I wanted to take another look at the option to import from AD.

From what I'm seeing, it looks like I can tell symantec to import OU's from AD and it will bring over all of my computer accounts.  It takes any clients that SEP already knows about out of the groups they were in, since they are now in the imported OU.  Then I have an option to copy clients from the OU to groups.  That would allow me to apply SEP policies in a different way than I apply GPO's, by applying the SEP policies to the groups and structuring those groups differently than OU.  So far so good?

Now, my confusion comes in when I realize that it doesn't move the client from the OU to the group, but it does seem to disable the OU copy.  (The client in the OU shows offline, while the one in the Group shows online.)  And, I see in the help files that this will actually cause SEP to think 2 licenses are used for the one client, since it shows up twice.  Is it not recommended to import AD OU's and copy the clients to groups?  

I was hoping that by importing the AD OU's it would help with finding clients that don't have SEP installed, or that have SEP but aren't communicating with the newly rebuilt server because they didn't get updated by sylink replacer for some reason. It seems like this isn't likely to be helpful though, since once I copy a client to a group (for the purpose of applying different policies) it goes offline in the OU list, so I can't really tell if a domain computer actually is offline or if it's just in another group and showing offline in the OU. 

How do others manage the group structure?  We've always used just groups, and always managed clients by computer, not by user.  I don't think we want to switch to managing by user, but I'm open to other suggestions for change.

As you're clearly aware, an AD structure doesn't lend itself very well to managing AV, which is why I never recommend importing AD into the SEP Group structure.

I find the automatic group assignment that importing AD does, to be easily offset by using the 'moveclient' utility.  And the discovery of unmanaged clients to be better managed by software management tools (Altiris) or just enabling unmanaged detectors.

Hi,

Is it not recommended to import AD OU's and copy the clients to groups?

--> No need to copy the clients to groups. After importing OU's clients should list online in OU structure itself.

As you saide it's correct by importing the AD OU's it wouldn't help with finding clients that don't have SEP installed.

Go through following video, to learn more about Importing OU's.

https://www-secure.symantec.com/connect/videos/importing-active-directory-sepm

Few Articles :

Organizational Units from Active Directory in Symantec Endpoint Protection 11.0

http://www.symantec.com/docs/TECH102546

How to setup a SEPM administrator account to use your Active Directory authentication

http://www.symantec.com/docs/TECH104726

Cannot delete Active Directory clients in the Symantec Endpoint Protection Manager

But if I import the OU's into SEPM and don't copy the clients out to groups, I can only apply policies based on the OU structure.  I don't want to apply SEPM policies to an entire OU, I need to break the computers up into smaller groups for more granular control.

I could swear in the old version of SEPM, there was an option to scan AD for computers to deploy the sep client to, but I can't find any way to do that in 12.1.  Am I imagining this, or has this functionality been removed?

That's basically all I'm trying to import the OU's for, is to make sure I get all of our domain computers into SEPM and with the current SEP version and settings on the clients. 

I'm not familiar with this moveclient utility.  Do you have a link where I could find more about it?  In the SEPM console, I don't have an option to move the client, only to copy it, if it is in an OU imported from AD. 

Hi Gaj-jin,

If you are talking about unmanaged computer feature, yes it's been removed in SEP 12.1.

I am not pin pointing you, you should have an idea about number of computers in your network if it's small sized or mid-sized networks.\

If it's big network importing OU will be one of the available option.

As you stated " I don't want to apply SEPM policies to an entire OU, I need to break the computers up into smaller groups for more granular control"

--> Yes, you can do that by removing inhertiance. You can customize policy as per your business requirement.

I would request you to check above shared video.

....is found within the SEP Media, the "Tools and Documents" download from fileconnect, in Tools\NoSupport\MoveClient.

I'm not sure if it would be of that much use to you, as you've stated you import AD for purposes of keeping track of all clients, rather than the automatic group assignment.

As far as keeping track of which ones have SEP installed and which ones do not, there're a few options.  Even though the 'Find unmanaged computers' option is now gone, you can still enabled clients to act as 'unmanaged detectors', allowing your SEPM to email you with a list of discovered machines.

There's also Altiris and the bundled SEP Integration Component, which can also help you discover machines without SEP installed (and automatically install to them if needed).

Essentially, what I'm saying is that I would not import AD into the SEP group structure, I find it just makes life more difficult.  Oh and always use computer mode unless there is a specific (and important) requirement for user-mode.

If you are talking about unmanaged computer feature, yes it's been removed in SEP 12.1.

Why did they remove the functionality to detect unmanaged computers?  That was quite useful.

 

I am not pin pointing you, you should have an idea about number of computers in your network if it's small sized or mid-sized networks.\

If it's big network importing OU will be one of the available option.

I do know about how many computers are in the network.  I also know that after running the sylink replacer, about 100 computers aren't showing up in the new console.  The problem is, I don't know which computers. Instead of manually going through the entire SEPM client list and trying to match it against computers in AD, I was trying to find an easier way to detect the computers.

 

As you stated " I don't want to apply SEPM policies to an entire OU, I need to break the computers up into smaller groups for more granular control"

--> Yes, you can do that by removing inhertiance. You can customize policy as per your business requirement.

I'm not sure how removing inheritance helps.  For example, f I have 3 OU's imported into SEPM:

DESKTOPS

LAPTOPS

SERVERS

I need most desktops to have one Application and device control policy, but a handful of the desktops need to have a different policy.  Similarly, I need a different AV policy on some servers than I do on others.  Without modifying my existing AD structure to fit how SEPM policies need to be applied, how can I apply different policies to computers which are in the same AD OU?

(My OU structure is more complicated than that, of course, but I'm just trying to clearly explain the issue.)

Thanks, that's basically the same conclusion I've come to, I was just hoping I was missing something.

I had tried using the unmanaged detector option a couple of years ago, and as I recall it ended up being more trouble than it was worth.  Details are foggy, but I believe it was including our routers, network appliances, etc in the list of unmanaged clients, and some of those devices were actually seeing the scans from the unmanaged detectors as attacks.  

...options have improved slightly.  It's not much, but you can now configure the unmanaged detectors to omit certain IP addresses.

Also, it's odd that they were previously picked up as attacks, as the unamanged detectors are meant to work passively.  They just sit there listening for ARP traffic (which is why you need one per broadcast domain), and should not actively initiate connections to machines.

I may be mis-remembering, hard to say.  I may give it a try again and see if I have any better results. 

Hi,

Attaching screenshot for same.

Also, a "thumbs up" to any useful posts is appreciated 

I don't think you understand the issue.  In your screenshot, let's say Test and Test1 were imported OU's, instead of groups.  There are no sub-OU's under them.  I need half of the computers in TEST to have one policy, and half to have a different policy.  That's where copying the clients to a group seemed necessary.  I'm afraid the OU import method isn't going to work out for my needs.  Oh well, back to doing it the hard way...

Hi Gaj-jin,

I think I have understood your issue.

I am just sharing location of policy inheritance.

Why don't you test by importing OU's in SEPM. You can remove AD synchronization at any time if it didn't work as per your business requirement.