cancel
Showing results for 
Search instead for 
Did you mean: 

Re-sync AD

Jump to solution
I have inherited an ePO environment and it's a bit of an organizational mess. I want to recreate it so that it is more like our AD structure. There are some OUs that are synced others not. I really only need to sync two OUs from AD. If I create to new OUs in ePO and sync them back to the two roots and structures I want from AD, will it move machines into the new directories? Will I need to perform some form of dedupe of the machines?
1 Solution

Accepted Solutions
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Re-sync AD

Jump to solution

Depending on your environment, there are some things to consider.

Do you have policies applied to critical systems that might get wrong policies if you do this?

I would suggest this - Set up a new group under the my org level and set up your new sync settings there and remove other sync points elsewhere in the system tree.  I would also suggest enabling delete systems from the system tree that no longer exist in Active Directory, but don't enable remove agent from the deleted systems.  If the systems no longer exist, they will never get the uninstall command.  If they do exist, they should check back into epo and then you can see where they were possibly missed in the AD groups you synced. 

Any systems that might lose critical policies, create a tag for them and assign the policies based on policy assignment rules for those tags so no matter where the systems move to in the system tree, they will retain their policies.  Make sure all the appropriate policies and tasks are inherited from my organization so when systems are moved, all your other systems have the right tasks and policies.  If they were all set up originally from my org, then that will already be set ok.

Once you set up your sync the way you want, you can then set the option to move systems from their current system tree location to syncronized group. 

After the sync, you can check the system tree for any issues, then delete your other directories to clean up the system tree structure.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

3 Replies
Highlighted

Re: Re-sync AD

Jump to solution

So I would sync at the Root however exclude containers (OU's) you dont want, then ensure the "Sync machines to correct OU", this way it will move the machines to the correct area in EPO therefor keeping them in policy.

 

Does this help?

Reliable Contributor andrep1
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Re-sync AD

Jump to solution

yes, you can set it up to move the machines as you sync. If you do two syncs from two locations, I'm not sure it is wise to set up the sync to delete devices during sync. Something to test on your side.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Re-sync AD

Jump to solution

Depending on your environment, there are some things to consider.

Do you have policies applied to critical systems that might get wrong policies if you do this?

I would suggest this - Set up a new group under the my org level and set up your new sync settings there and remove other sync points elsewhere in the system tree.  I would also suggest enabling delete systems from the system tree that no longer exist in Active Directory, but don't enable remove agent from the deleted systems.  If the systems no longer exist, they will never get the uninstall command.  If they do exist, they should check back into epo and then you can see where they were possibly missed in the AD groups you synced. 

Any systems that might lose critical policies, create a tag for them and assign the policies based on policy assignment rules for those tags so no matter where the systems move to in the system tree, they will retain their policies.  Make sure all the appropriate policies and tasks are inherited from my organization so when systems are moved, all your other systems have the right tasks and policies.  If they were all set up originally from my org, then that will already be set ok.

Once you set up your sync the way you want, you can then set the option to move systems from their current system tree location to syncronized group. 

After the sync, you can check the system tree for any issues, then delete your other directories to clean up the system tree structure.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.