Endpoint Protection

 View Only
  • 1.  Move client from group to Active DIrectory

    Posted Mar 05, 2009 11:02 AM

    Is there any ways to do this?

    Here is my situation I have a few groups and 1 Active directory domain added in clients section. It looks like this:

    My Company

      -Default Group

      -Test Group

      -AD_Domain

          -Computers

          -Domain Controllers

     

    I have 1 computer that is a member of my AD_Domain, but is installed in Test Group. Computer account is in "Computers" OU, but it receives policy from "Test Group". So far to solve this problem I tried:

    1. droping sylink.xml -did not work

    2. deinstalling client and than installing client with sylink.xml pointing to AD-Domain/Computers OU - did not work, computer showed up in Test group again

    3. deinstalling client, deleting client from SEP manager, deleting Test Group and than installing client with sylink.xml pointing to AD-Domain/Computers OU - did not work, computer showed up in Default group??

    Help please.

     



  • 2.  RE: Move client from group to Active DIrectory

    Posted Mar 05, 2009 11:30 AM

    i do not think it is possible to move a computer into the "AD" groups. 

     

    If I am wrong (which could very well be) have you tried selecting the computer in the 'clients' view and selecting 'move clients' from task options?



  • 3.  RE: Move client from group to Active DIrectory

    Posted Mar 05, 2009 11:33 AM

    I was not talking about "move" operation defined in manual. Let's use the term "migrate", shell we?



  • 4.  RE: Move client from group to Active DIrectory

    Posted Mar 09, 2009 01:59 PM

    If i look at the client computer object in "test" group and check properties->clents tab client software verison is 11.0.4000.2295, but if I look at the client computer object in "Computers" OU, it is listed as offline and shows 11.0.2000.1567 client software verison? Also, those 2 computer objects that represent the same physical machine have different "Unique ID" property.

     

    So I guess this problem might have happened after client upgrade. Any feedback would be appreciated.



  • 5.  RE: Move client from group to Active DIrectory

    Posted Mar 10, 2009 02:11 PM

    I've had this sort of thing happen before; in SEPM delete the objects from the test groups, then go back to where it should be and right-click, "Synch Now".



  • 6.  RE: Move client from group to Active DIrectory

    Posted Mar 11, 2009 10:20 AM

    THX



  • 7.  RE: Move client from group to Active DIrectory

    Posted Mar 18, 2009 07:36 AM

    I had same problem and this works ! THX



  • 8.  RE: Move client from group to Active DIrectory
    Best Answer

    Posted Mar 18, 2009 10:36 AM

    Here's what I found works with computers in SEPM's Active Directory OU's:  You must move the computer out of the entire OU scope, sync, move it back into the OU, sync again, and the computer now has a "new" object of the same name in the SEPM database.  You then syslink drop it.

    Steps:

    1) SEPM Console: Delete the computer from your Group if possible.  If the computer is in an OU, you can not delete it.  You then have to move it.

    2) Although you cannot add/change/remove computers from the OU's using the SEPM Console, you can with the "Active Directory Users and Computers."  Move (do not delete) the computer into an OU not in SEPM Console scope (this is temporary step in AD.  You're not deleting the AD computer object, just moving it back and forth so SEPM picks it up).

    3) SEPM Console: sync now the OU's (the computer will dissapear in SEPM under your OU's because it's not there anymore, you moved it in step #2.  Note: if you have more than 1 domain controller, you may have to wait for replication before the SEPM server notices the move).

    4) Active Directory Users and Computers: move computer back into your OU scoped in SEPM.  Wait for replication if needed

    5) SEPM Console: sync now the OU's again (it now should show up new in SEPM clients)

    6) SEPM Console: Make NEW syslink.xml file for the OU.  You will use this in the next step.

    7) Client: syslink drop your computer with the new syslink.xml file.  You should get a green dot in the console and client.

    Works every time.  You may see the older computer by the same name show up in database, not checking in and it will take its sweet time to fall off.  That's a whole different problem well documented here.



  • 9.  RE: Move client from group to Active DIrectory

    Posted Jul 14, 2009 11:20 AM
    Wow, it worked, nice workaround, thanks a lot!

    This post have some helpful information about the same problem: www-secure.symantec.com/connect/forums/ad-integration-sep-groups-computers-moving-themselves-around
    It seems to be (kind of) solved on MR4 MP2