cancel
Showing results for 
Search instead for 
Did you mean: 
it1024
Level 9
Report Inappropriate Content
Message 1 of 10

synchronize AD groups with ePO groups

Hi,

Is it possible to synchronize AD groups with ePO groups? Because we have got domain policies enforced on OUs. In ePO we also have got different policies which should be enforced on different groups and we have got same groups in AD. What I need is to synchronize AD groups (which are under AD OUs) with ePO groups. Is it possible or should I do it manually?

Thanks,

McAfee ePolicy Orchestrator 

9 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: synchronize AD groups with ePO groups

There is an option in ad sync settings to pull systems and system tree structure.  This will mirror your AD group in epo system tree.  Be very careful doing this, if your systems are in a different system tree structure.  What I would suggest before doing that is to turn off the epo server service (apache) on epo and any agent handlers to prevent clients from getting any policy changes.  Then you can run your ad sync and once that reorganizes your system tree, make sure all the right policies and tasks are assigned properly.  Then you can turn apache back on.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

it1024
Level 9
Report Inappropriate Content
Message 3 of 10

Re: synchronize AD groups with ePO groups

@cdinet 

Thank you for your reply.

I seem not to be able to find the option you are referring to. Could you please let me know what option and where allows us to "pull systems and system tree structure"?

Thank you in advance.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: synchronize AD groups with ePO groups

adsync.png

That is the option checked that I am referring to.  You would choose systems and container structure, then second option move systems from current system tree location as I have checked.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

it1024
Level 9
Report Inappropriate Content
Message 5 of 10

Re: synchronize AD groups with ePO groups

@cdinet 

Thank you so much for your guide.

To me it seems that I am doing something wrong. If you kindly take a look at the screenshot attached I have got two groups in the root of AD but they are not synced at all. Could you please let me know what I am misunderstanding here?

Thank you in advance.gz_ad.jpg

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: synchronize AD groups with ePO groups

Which specific group names are you referring to? 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

it1024
Level 9
Report Inappropriate Content
Message 7 of 10

Re: synchronize AD groups with ePO groups

@cdinet 

I have got only two groups, "allow-usb" and "test-dlp" as you might see in the bottom of the picture. I want these two groups to be synced with McAfee System Tree.

Thank you

Highlighted
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: synchronize AD groups with ePO groups

Those are user groups, not computers.  The AD sync in system tree only syncs computers.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

it1024
Level 9
Report Inappropriate Content
Message 9 of 10

Re: synchronize AD groups with ePO groups

@cdinet 

Thank you for your reply.

So in that case groups cannot be synced at all and talking of groups is meaningless. Are there any other type of groups except what we see in my picture?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: synchronize AD groups with ePO groups

Any AD group can be synced with the AD sync task, but they must be computer groups, not users. The AD sync can only sync computers, not users. That is a completely different task and purpose to sync ldap users. But for the ad sync in the system tree, it only looks for systems. If there are no systems in a group, it will not sync that group.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community