cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
a2wa2
Level 8
Report Inappropriate Content
Message 1 of 19

how to sync active directory with EPO

Jump to solution

hello

I would like to synchronize my active directory with epo but I Don't know what should I do? and the other questions is that when we sync active with epo does it have any impact?for instance,when we delete one endpoint from epo or reverse does it delete from active directory too?

1 Solution

Accepted Solutions
kabi
Level 9
Report Inappropriate Content
Message 2 of 19

Re: how to sync active directory with EPO

Jump to solution

In the System Tree module, select a group and click the Group Details tab

Next to Synchronization type, click Edit

Synchronization Type

  • Select Active Directory

Synchronize

  • If your AD OU structure will work for your EPO group structure, select Systems and container structure. This is the easiest method and simplifies the Containers section below.
  • If not, select Systems only

Systems that exist elsewhere in the System Tree

  • I recommend selecting Move systems from their current System Tree location to the synchronized group

Active Directory domain

  • Select your registered LDAP server. If you don't have one defined, click Cancel and then open Menu/Configuration/Registered Servers to create it.
  • The other two Active Directory sections will be greyed out

Containers

  • If you chose to synchronize Systems and container structure, click Add Root and the distinguished name should appear (e.g. DC=mydomain,DC=local). My personal preference is to check the box Exclude empty containers.
  • If you chose to synchronize Systems only, either click Browse to select the container or enter the container's distinguished name and click Add (e.g. ou=Laptops,dc=mydomain,dc=local)

Exclusions

  • Add any applicable containers or computers. Typically, I've only specified something here when synchronizing Systems and container structure.

Push Agent

  • I typically don't use this, because you can't have multiple Push settings defined per OS. If you only have Windows systems, this feature works great. Just make sure the account you specify has rights to install software.

When systems are deleted from the synchronization point

  • I recommend reviewing which products you are using and plan to use, because with some products, deleting a McAfee system object will delete the corresponding product info. For example, deleting a McAfee system object will delete its recovery keys for Drive Encryption and Management of Native Encryption.
  • If you want full automation, select Delete the systems... This will delete the McAfee system object whenever an AD computer is deleted.
  • Note that deleting a McAfee system object will not delete the AD computer object.
  • Personally, I choose Leave the systems... because I want to control when a McAfee system object is deleted and I use DE and MNE.

Tags

  • Configure as you want. I've never used this.

Next, click Save.

Last steps are to create a Server Task which performs the Active Directory/NT Domain Synchronization.

Depending on your AD environment, the sync can take awhile on its first run. Depending on the frequency of changes in your AD, how accurate you want EPO, and how long the AD sync takes, will help determine the AD sync interval. You'll also want to monitor its impact to your DCs.

View solution in original post

18 Replies
kabi
Level 9
Report Inappropriate Content
Message 2 of 19

Re: how to sync active directory with EPO

Jump to solution

In the System Tree module, select a group and click the Group Details tab

Next to Synchronization type, click Edit

Synchronization Type

  • Select Active Directory

Synchronize

  • If your AD OU structure will work for your EPO group structure, select Systems and container structure. This is the easiest method and simplifies the Containers section below.
  • If not, select Systems only

Systems that exist elsewhere in the System Tree

  • I recommend selecting Move systems from their current System Tree location to the synchronized group

Active Directory domain

  • Select your registered LDAP server. If you don't have one defined, click Cancel and then open Menu/Configuration/Registered Servers to create it.
  • The other two Active Directory sections will be greyed out

Containers

  • If you chose to synchronize Systems and container structure, click Add Root and the distinguished name should appear (e.g. DC=mydomain,DC=local). My personal preference is to check the box Exclude empty containers.
  • If you chose to synchronize Systems only, either click Browse to select the container or enter the container's distinguished name and click Add (e.g. ou=Laptops,dc=mydomain,dc=local)

Exclusions

  • Add any applicable containers or computers. Typically, I've only specified something here when synchronizing Systems and container structure.

Push Agent

  • I typically don't use this, because you can't have multiple Push settings defined per OS. If you only have Windows systems, this feature works great. Just make sure the account you specify has rights to install software.

When systems are deleted from the synchronization point

  • I recommend reviewing which products you are using and plan to use, because with some products, deleting a McAfee system object will delete the corresponding product info. For example, deleting a McAfee system object will delete its recovery keys for Drive Encryption and Management of Native Encryption.
  • If you want full automation, select Delete the systems... This will delete the McAfee system object whenever an AD computer is deleted.
  • Note that deleting a McAfee system object will not delete the AD computer object.
  • Personally, I choose Leave the systems... because I want to control when a McAfee system object is deleted and I use DE and MNE.

Tags

  • Configure as you want. I've never used this.

Next, click Save.

Last steps are to create a Server Task which performs the Active Directory/NT Domain Synchronization.

Depending on your AD environment, the sync can take awhile on its first run. Depending on the frequency of changes in your AD, how accurate you want EPO, and how long the AD sync takes, will help determine the AD sync interval. You'll also want to monitor its impact to your DCs.

View solution in original post

a2wa2
Level 8
Report Inappropriate Content
Message 3 of 19

Re: how to sync active directory with EPO

Jump to solution

thanks

charaneval
Level 7
Report Inappropriate Content
Message 4 of 19

Re: how to sync active directory with EPO

Jump to solution

Hey  Kabi,

First of all  thank you so much for your help by posting this knowledgeable article. 

I have question about "Systems that exist elsewhere in the System Tree" option.

Let's say for example, i have created a group name ManagedComputers in ePO, where i placed all the managed computers. I didn't have integrated my AD until now, i just did manual installation on these machines so far.

Now i want to edit the group setting on ManagedComputers Group to Sync with AD and choose the above option as "Leave systems in their current System Tree Location Only" instead of "Move systems from their current System Tree location to the synchronized group".

What happens if i choose "Leave systems in their current System Tree Location Only"? Will it break anything on already existing items in ManagedComputers group?

Or will it only import the left over or newly created objects from AD to this group?

Best regards

Ch

kabi
Level 9
Report Inappropriate Content
Message 5 of 19

Re: how to sync active directory with EPO

Jump to solution

Sorry about the delayed response, but if I understand your use case correctly, the managed systems already located in the ​ManagedComputers​ group would remain there.

Re: how to sync active directory with EPO

Jump to solution

Hi Kabi,

Thank you for sharing a very easy to configure steps to sync ePO with AD, but what if I have a LDAP / AD Server hosted on on-premise Server and ePO at AWS Instance.

Kindly provide steps to link them too. It will be helpful for me.

 

Thanks in Advance.

 

Sudhir

mark_ph
Level 7
Report Inappropriate Content
Message 7 of 19

Re: how to sync active directory with EPO

Jump to solution

Hi Kabi ,

Thank you for your information.

I need to know something. After i synchroniz AD if i move the systems to other OU the systems on ePO will move too ?

Thanks.

johnmoe
Level 11
Report Inappropriate Content
Message 8 of 19

Re: how to sync active directory with EPO

Jump to solution

You'd need to change the above to:

Synchronize: Systems and container structure

Systems that exist elsewhere in the System Tree: Move systems from their current System Tree location...

mark_ph
Level 7
Report Inappropriate Content
Message 9 of 19

Re: how to sync active directory with EPO

Jump to solution

Oh, Thank you very much sir.

a2wa2
Level 8
Report Inappropriate Content
Message 10 of 19

Re: how to sync active directory with EPO

Jump to solution

thanks for your help

once I sync mcafee with active directory. In another time, Is this sync process operate from the beginning or only changes are applied? I need to know what is the automate daily task do for syncing active directory in automation server task?

If I want to keep current changes in epo and avoid moving systems in different OUs,what should I do?

because some new systems are entered to my organization and I want to detect new systems automatically from epo and need epo recognize them and deploy agent by itself.then if is it possible,I install virus scan.

best regards

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community