cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re-sync AD

Jump to solution
I have inherited an ePO environment and it's a bit of an organizational mess. I want to recreate it so that it is more like our AD structure. There are some OUs that are synced others not. I really only need to sync two OUs from AD. If I create to new OUs in ePO and sync them back to the two roots and structures I want from AD, will it move machines into the new directories? Will I need to perform some form of dedupe of the machines?
1 Solution

Accepted Solutions
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Re-sync AD

Jump to solution

Depending on your environment, there are some things to consider.

Do you have policies applied to critical systems that might get wrong policies if you do this?

I would suggest this - Set up a new group under the my org level and set up your new sync settings there and remove other sync points elsewhere in the system tree.  I would also suggest enabling delete systems from the system tree that no longer exist in Active Directory, but don't enable remove agent from the deleted systems.  If the systems no longer exist, they will never get the uninstall command.  If they do exist, they should check back into epo and then you can see where they were possibly missed in the AD groups you synced. 

Any systems that might lose critical policies, create a tag for them and assign the policies based on policy assignment rules for those tags so no matter where the systems move to in the system tree, they will retain their policies.  Make sure all the appropriate policies and tasks are inherited from my organization so when systems are moved, all your other systems have the right tasks and policies.  If they were all set up originally from my org, then that will already be set ok.

Once you set up your sync the way you want, you can then set the option to move systems from their current system tree location to syncronized group. 

After the sync, you can check the system tree for any issues, then delete your other directories to clean up the system tree structure.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

3 Replies

Re: Re-sync AD

Jump to solution

So I would sync at the Root however exclude containers (OU's) you dont want, then ensure the "Sync machines to correct OU", this way it will move the machines to the correct area in EPO therefor keeping them in policy.

 

Does this help?

andrep1
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Re-sync AD

Jump to solution

yes, you can set it up to move the machines as you sync. If you do two syncs from two locations, I'm not sure it is wise to set up the sync to delete devices during sync. Something to test on your side.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Re-sync AD

Jump to solution

Depending on your environment, there are some things to consider.

Do you have policies applied to critical systems that might get wrong policies if you do this?

I would suggest this - Set up a new group under the my org level and set up your new sync settings there and remove other sync points elsewhere in the system tree.  I would also suggest enabling delete systems from the system tree that no longer exist in Active Directory, but don't enable remove agent from the deleted systems.  If the systems no longer exist, they will never get the uninstall command.  If they do exist, they should check back into epo and then you can see where they were possibly missed in the AD groups you synced. 

Any systems that might lose critical policies, create a tag for them and assign the policies based on policy assignment rules for those tags so no matter where the systems move to in the system tree, they will retain their policies.  Make sure all the appropriate policies and tasks are inherited from my organization so when systems are moved, all your other systems have the right tasks and policies.  If they were all set up originally from my org, then that will already be set ok.

Once you set up your sync the way you want, you can then set the option to move systems from their current system tree location to syncronized group. 

After the sync, you can check the system tree for any issues, then delete your other directories to clean up the system tree structure.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community