Unfortunately, support's best recommendation for my recent issues were to remove and reinstall SEPM, without restoring a DB backup. Again. (2nd time since 12.1 RU1 was released in late november.) So while I'm working on rebuilding policies and the group structure for clients, I wanted to take another look at the option to import from AD.
From what I'm seeing, it looks like I can tell symantec to import OU's from AD and it will bring over all of my computer accounts. It takes any clients that SEP already knows about out of the groups they were in, since they are now in the imported OU. Then I have an option to copy clients from the OU to groups. That would allow me to apply SEP policies in a different way than I apply GPO's, by applying the SEP policies to the groups and structuring those groups differently than OU. So far so good?
Now, my confusion comes in when I realize that it doesn't move the client from the OU to the group, but it does seem to disable the OU copy. (The client in the OU shows offline, while the one in the Group shows online.) And, I see in the help files that this will actually cause SEP to think 2 licenses are used for the one client, since it shows up twice. Is it not recommended to import AD OU's and copy the clients to groups?
I was hoping that by importing the AD OU's it would help with finding clients that don't have SEP installed, or that have SEP but aren't communicating with the newly rebuilt server because they didn't get updated by sylink replacer for some reason. It seems like this isn't likely to be helpful though, since once I copy a client to a group (for the purpose of applying different policies) it goes offline in the OU list, so I can't really tell if a domain computer actually is offline or if it's just in another group and showing offline in the OU.
How do others manage the group structure? We've always used just groups, and always managed clients by computer, not by user. I don't think we want to switch to managing by user, but I'm open to other suggestions for change.