Showing results for 
Show  only  | Search instead for 
Did you mean: 

Pros and Cons between AD/ePO Policy Assignments

Hello everyone,

We are about to let ourcustomer know the pros and cons between administrating policies with ADmanagement or manually from ePO in order to restrict computers from usingdevices with McAfee Device Control and we need to gather some info.

¿Ideas? Thank you.

Tomas Correa.

4 Replies

Re: Pros and Cons between AD/ePO Policy Assignments

This depends on what you need but this can help:

Do you need a specific computer to never have an USB device connected by anyone or do you need a specific user not to use USB devices on any computer?

For the first option you'll need computer-based policy and for the second option you need user-based policy


Re: Pros and Cons between AD/ePO Policy Assignments

Hello Las, thanks forpaying attempt ion to my question.

Well the main question is¿What can it be won/lost by administrating policies by ePO adding the machinesmanually and what can be won/lost by adding the machines automatically with anActive Directory sync?.

When you say "and forthe second option ('a specific user not to use USB devices on any computer')you need user-based policy", ¿is that possible without sync ePO with AD?


Tomas Correa.


Re: Pros and Cons between AD/ePO Policy Assignments

Hi tomas,

There are two different things.

First one is that there's no difference adding computers manually or by an AD sync, it only create computer objects under system tree so it's up to you how you want to add them. If your AD computer groups are up-to-date then an AD sync will add all your computers (if you want to) so you know you are managing all of them.

The second thing is the user policy assignement. This one can only be achieved defining an AD server under Registered Servers and an automated server task that will cache AD users (If I'm right) periodically. The example I posted before was just to make you understand that if (for example) I don't want Mr. Smith to connect a pendrive on a computer then I usually don't want him to connect a pendrive to ANY computer and that's why I need to create a user-basd policy instead of a computer-based policy

Edit: For products like VirusScan (for example) you won't usually need a user-based policy but a computer-based policy

El mensaje fue editado por: ulyses31 on 4/10/13 11:25:46 CEST
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: Pros and Cons between AD/ePO Policy Assignments

¡Hola Tomas!

We use Ad synch for our computer objects and also synch the OU. When you have a lot of computers and and distributed organization, it makes management a lot easier.

One plus of synching from AD is the ability to know about computers before they are managed in ePO. You could potentially push the agent to those unmanaged devices.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community