After deleting OU in Symantec Endpoint Protection Manager (SEPM ) and then re-importing, the client appears in the Default group, rather than the correct group.
OU members appear in the SEPM Default group rather than the imported OU group
There are 2 possible solutions for this issue.
These steps involve moving the affected client(s) within Active Directory(AD) to an OU that isn't synched within the SEPM structure. Once the client is moved in AD the SEPM is synched again, at which point it notes that the client is "gone". The client is then moved back into the proper group within AD, and the SEPM is synched a final time, which causes it to see the client as a "new" machine and treat it correctly.
1) In SEPM, click Clients, then Default Group, then the Clients tab to display the clients.
2) Move the listed clients in AD to the temporary OU.
3) Right click each client in the SEPM and choose delete. If there are multiple clients to do, you can use Shift+Click or Ctrl+Click to select multiple computers.
Note: It may not be possible to delete the client while still the SEPM is synched with AD in step 3. If you are unable to remove some or all of the clients, continue to step 4, then verify that they are removed (or can be deleted) after synching in step 4.
4) Right click on the group(s) the affected clients should be in and choose Sync Now, as well as synching the Default Group.
5) Move the affected clients back into the proper OUs in AD.
6) Repeat step 4. This will tell the SEPM that these clients are present, so when they check in they will be accepted.
7) Use the Sylink Drop tool to establish communications between the client and the server. For information on how to obtain and use this tool, refer:
1) Log the computer off the domain.
2) Delete the computer object in the Active Directory OU.
3) In the SEPM click Clients, then right click My Company and choose Sync Now.
4) Add the computer object in Active Directory, under the correct OU.
5) Repeat step 3.
6) Use the Sylink Drop tool to establish communications between the client and the server. For information on how to obtain and use this tool, refer:
Restoring client-server communication settings by using the SylinkDrop tool
The SEPM must be successfully synched to AD before any clients are installed. The client listing for the computer must exist in the desired SEPM group before it can register there.
Check the exported server_report from the SEPM to see if there are any LDAP errors:
01/10/2009 12:29:57,800,Organization importing failed,Thu Oct 01 12:29:57 BST 2009 10/1/09 12:29 PM LDAP Authentication Failed [path=LDAP://servername.domainname.ext:389, user=administrator] (error code:19, 0x13),,,,servername,Site sitename
01/10/2009 12:29:57,800,Organization importing started,10/1/09 12:29 PM Organization importing started,,,,servername,Site sitename
LDAP failures like this mean that the sync was not successful. If the computer object exists in the AD OU, but that OU has not been successfully synched with the SEPM, then it does not matter what the client is requesting as its "PreferredGroup" during registration. The new SEP client will always be placed in the SEPM's default group.
To generate the report referenced above via the SEPM, go to Monitors, choose Logs, then choose System for the 'Log type' dropdown and Server Activity for the 'Log content' dropdown.