1 2 Previous Next 10 Replies Latest reply on Feb 24, 2009 4:18 AM by Sonic01

    ePO Policies

      hi guys,

      after doing an upgrade 3.5 to v4 and starting to roll out client 8.7 ive started to encounter a problem with the access protection policies blocking to much - when i go to change the policies there is one in the global route called "McAfee Default" that i cant seem to change.

      can anyone help?
        • 1. RE: ePO Policies
          use Duplicate to create a copy of the default policy and make changes to the copy.
          • 2. RE: ePO Policies
            ok i see now that this mcafee default doesnt actually seem to do anything? is it just there as a template?
            • 3. RE: ePO Policies
              Yes - you can't change it by design (so there's always at least the McAfee default policy available). Normally I duplicate the policy, set it to my top level group and work with my own set of policies...
              • 4. RE: ePO Policies
                ok cool cheers for your help :)

                ive noticed when i do an AD sync it doesnt seem to be removing machines that arent in the AD list anymore? does anyone know of a way to resolve this?
                • 5. RE: ePO Policies
                  You're welcome :)

                  It's usually better to create a new post with a new problem, rather than add to an existing thread - many people will ignore the thread according to it's title...

                  On your AD Sync problem...
                  Go into Systems and select the group in question in the left pane (this may be at the top of the tree if you want to apply to all groups)

                  Select the 'Group' tab in the right pane, and near the top is 'Synchronization type' - click edit.

                  The second last topic there is about what to do when systems are deleted from your sync point (AD) - it defaults to leaving them there, but you can delete them from epo too - and optionally remove the agent if for example the machines have moved from one AD forest into another managed by another ePO server...

                  If the machine no longer exists, then obviously removing the agent will fail.

                  I prefer to leave the systems in epo and run an inactive agent cleanup task (at least for now, as our AD isn't the best...)
                  I'd suggest testing this very carefully before going with it.... any machines not in AD (e.g. workgroup machines) would end up being deleted if you apply across the whole tree......
                  • 6. RE: ePO Policies
                    yeah sorry i just didnt want to start flooding the forum with all my stupid questions hehe happy was just trying to keep it in one place!

                    ah i have already set it like this! in fact when i go to the system view it reports the correct number of machines etc.... but when i run a query like this:

                    Pie Chart > managed systems > client version

                    it shows:

                    111 on BLANK
                    95 pcs on 8.0 wrk
                    11 on 8.0 srv
                    9 on 8.7 wrk
                    2 on 8.7 srv

                    i have a total of 180 machines sync'd from my AD into the ePO "system" so why is this showing 246 results?!

                    when i click on the "blank" to view the details it shows machines that arent actually listed in the epo system tree and are no longer in AD?
                    • 7. RE: ePO Policies
                      Well, that is weird....:)

                      You have a large proportion of BLANKs.... suggesting that the agent on these machines cannot advise their version.... I've seen this before. We have a three machines still at Viruscan 7.1 - and ePO 4 only supports version 8.0 and above - so they show as blank. (they have to remain at that version for a variety of reasons I wont bore you with, but I figure 3 out of 12,500 ain't too bad...)

                      You say they're not in epo - but they are, otherwise you wouldn't get the list. Can you ping the machines that are blank? If you're sure they shouldn't exist then I'd simply delete them from epo (checking they don't come back).

                      If they actually exist, then you need to assume that they aren't authenticating with AD if they're not in AD. This may be normal for your environment if you have workgroups, so its hard for me to say... In such a case you will NOT want to delete in ePO if not found in AD....

                      They could be showing as blank also because they were deleted by an earlier syncronization, have communicated once with (using incremental props), so have appeared in epo. Try also doing a full props wake-up with them - they should then report their versions...

                      Don't worry if it seems obscure - there is a reason things are appearing in epo and if the last communication date is recent, that reason is usually because there is SOME kind of agent there.

                      Good Luck
                      • 8. RE: ePO Policies
                        ive just figured it out :)

                        the previous IT before me used to add the pc's in manually. they didnt use the AD sync, these machines im seeing that arent showing up in the system list must have been machines added in manually?!

                        so now will i have to crawl through the list and delete the manually added machines? or can i just delete all machines from the epo and do an AD resync?

                        ps. we dont use any workgroups here happy
                        • 9. RE: ePO Policies
                          Manually added machines could be the reason....

                          Before you go and delete all machines, AD Sync and rebuild from scratch (because in effect that's what it would be) you need to consider how your tree is made up - do you have different groups with different policies? (you have at least two different policies you've mentioned) - because you would probably lose that and have to place the incoming AD sync machines back into the correct groups.

                          It depends on your setup - only you can make that choice and i won't advocate it one way or another (such is the joy of being an epo admin!)

                          I would advise to go slowly and not make any sweeping changes until your sure of the effect, adn you understand exactly what it will do. If something comes out unexpectedly, I try and understand why before moving onto something else.

                          I've been doing epo for about 5 years (in various versions) and I'm still learning...

                          I will say this - you need to know your tree and setup very well - so take your time and one small step at a time.

                          You think you know what the issue is - so why not add a machine manually yourself and see if you can prove it?

                          Best of luck!
                          1 2 Previous Next