Thanks for responding.. Could you please clarify if you the following scheduled task ‘Inactive Agent Cleanup Task’ is enabled?
If so, could you please provide the settings.
If the machine is deleted from ePO:
Ok, that rules that one out...
What is the frequency that the users are being removed from the machine ?
Could you please send me your orion.log file in a private message and I will have a look at it for you. I may now see anything, as the orion.log files are rolled over.
Have you opened a support ticket for this issue, if so could you please send that to me in a private message as well..
The users are removed at random. Like I said, I had this occur 3 times over the past month to 3 separate users (1 time per user). So its not an everyday thing and is not affecting the same user, at least not yet.
Where is the orion log located?Message was edited by: jsiergiej on 5/26/11 7:27:00 AM CDT
The orion.log is on the ser ver under <ePO installed folder>\server\logs.
Sorry one more question.. The users that are being removed, were they added as part of a LDAP OU/GROUP with recursion ?
We think we have this issue figured out, at least in our environment. It is related to the laptop computer object in EPO having the same MAC address as another laptop, because the agent at one time was installed while connected to the VPN (where clients may share the same MAC address). It will keep clobbering the user assignment on an EPO machine object, creating this problem.
McAfee Agent 4.6 (I added this because the tech did say it's an issue in 4.6 as well)
McAfee Agent 4.5
McAfee Agent 4.0
McAfee ePolicy Orchestrator 4.x
For details of all supported operating systems, see KB51109.
When a new computer is added to the ePolicy Orchestrator (ePO) tree another computer disappears.
The common factor is that this happens with computers that connect via a Virtual Private Network (VPN).
This problem will be encountered only when the first connection from a client computer to the ePO server takes place over a VPN connection. If the computer's first connection is via a Local Area Network (LAN), the correct Media Access Control (MAC) address is added to the table.
When a computer communicates with the ePO server via VPN, it uses the VPN virtual computer's MAC address and not its own actual MAC address. This VPN MAC address is usually the same for all computers connecting through the VPN.
This issue is not restricted only to VPN clients. Anything that could cause multiple computers to report the same MAC could cause this problem. For example, if you clone a virtual machine and do not reset the MAC address, both computers would report the same MAC address to ePO.
To avoid this issue, when adding a new computer to ePO Server, ensure that the first connection occurs via a LAN and not via VPN.
To resolve the issue if the computers have already connected via a VPN, create a new entry in the ePOVirtualMacVendor table with the Organization Unique Identifier (OUI) which is part of the VPN MAC address.
Step 1 - Determine the VPN MAC address to add to the ePO VendorID field.
The best way to obtain the VPN MAC address is to identify a computer that has connected to the ePO Server for the first time via VPN and removed the previous computer.
If you are unable to identify a computer using the virtual MAC, you can author a report to identify the computers:
You should have a list of MAC addresses with a count of the number of systems reporting that MAC address. Ideally it would be a 1-to-1 ratio. If you have more than 1 system sharing the same MAC address, then that is probably your issue.
Step 2 - Modify the SQL script to add the computer to the tree.
NOTE: See KB56429 for how to run SQL scripts provided by McAfee Support using OSQL for ePO.
Use the SQL command syntax below to add the computer to the tree:
INSERT INTO ePOVirtualMacVendor (VendorID) values ('######')
Where: ###### is the first 6 digits of the VPN MAC address collected from the client.
Example: For a system with 00123F as the first six digits of the MAC address obtained in Step 1:
INSERT INTO ePOVirtualMacVendor (VendorID) values ('00123F')
on 8/10/11 2:50:44 PM CDTMessage was edited by: rmnetops on 9/9/11 1:39:16 PM CDT