Managed Symantec Endpoint Protection (SEP) Client appears in Default Group instead of Active Directory Organizational Unit (OU) in the Symantec Endpoint Protection Manager (SEPM)

book

Article ID: 177890

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Why, after deleting the OU in SEPM and then re-importing, does the client appear in the default group, rather than the correct group in SEPM?

Symptoms
OU members appear in the SEPM Default group rather than the imported OU group
  • Only one computer reporting to default group and rest all report to imported OU group


Resolution

There are 2 possible solutions for this issue.
  • Move the computer out of the OU, sync, move the client back into the proper OU and sync again, thus creating a "new" object for the SEPM to manage

These steps involve moving the affected client(s) within Active Directory(AD) to an OU that isn't synched within the SEPM structure. Once the client is moved in AD the SEPM is synched again, at which point it notes that the client is "gone". The client is then moved back into the proper group within AD, and the SEPM is synched a final time, which causes it to see the client as a "new" machine and treat it correctly.

1) In SEPM, click Clients, then Default Group, then the Clients tab to display the clients.
2) Move the listed clients in AD to the temporary OU.
3) Right click each client in the SEPM and choose delete. If there are multiple clients to do, you can use Shift+Click or Ctrl+Click to select multiple computers.

Note: It may not be possible to delete the client while still the SEPM is synched with AD in step 3. If you are unable to remove some or all of the clients, continue to step 4, then verify that they are removed (or can be deleted) after synching in step 4.

4) Right click on the group(s) the affected clients should be in and choose Sync Now, as well as synching the Default Group.
5) Move the affected clients back into the proper OUs in AD.
6) Repeat step 4. This will tell the SEPM that these clients are present, so when they check in they will be accepted.
7) Use the Sylink Drop tool to establish communications between the client and the server. For information on how to obtain and use this tool, click on this link:

Title: 'How to change a Symantec Endpoint Protection client from unmanaged to managed in MR3 and above using the Sylink Drop utility'
Document ID: 2009030314365748
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009030314365748?Open&seg=ent

  • Remove the client from the domain then add it back, thus creating a "new" object for the SEPM to manage
1) Log the computer off the domain.
2) Delete the computer object in the Active Directory OU.
3) In the SEPM click Clients, then right click My Company and choose Sync Now.
4) Add the computer object in Active Directory, under the correct OU.
5) Repeat step 3.
6) Use the Sylink Drop tool to establish communications between the client and the server. For information on how to obtain and use this tool, click on this link:

Title: 'How to change a Symantec Endpoint Protection client from unmanaged to managed in MR3 and above using the Sylink Drop utility'
Document ID: 2009030314365748
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009030314365748?Open&seg=ent



Technical Information
The SEPM must be successfully synched to AD before any clients are installed. The client listing for the computer must exist in the desired SEPM group before it can register there.


Check the exported server_report from the SEPM to see if there are any LDAP errors:

    01/10/2009 12:29:57,800,Organization importing failed,Thu Oct 01 12:29:57 BST 2009 10/1/09 12:29 PM LDAP Authentication Failed [path=LDAP://servername.domainname.ext:389, user=administrator] (error code:19, 0x13),,,,servername,Site sitename
    ....
    01/10/2009 12:29:57,800,Organization importing started,10/1/09 12:29 PM Organization importing started,,,,servername,Site sitename

LDAP failures like this mean that the sync was not successful. If the computer object exists in the AD OU, but that OU has not been successfully synched with the SEPM, then it does not matter what the client is requesting as its "PreferredGroup" during registration. The new SEP client will always be placed in the SEPM's default group.

To generate the report referenced above via the SEPM, go to Monitors, choose Logs, then choose System for the 'Log type' dropdown and Server Activity for the 'Log content' dropdown.


Attachments