5 Replies Latest reply on Jul 13, 2010 8:07 AM by BionicSecurityEngineer

    EE LDAP Server User/Group Sync failing despite reporting complete

      I have 7300 users in Active Directory, and I added the DOMAIN USERS group into Encryption Users, yet when the EE LDAP Server User/Group Sync job runs only a handful...20 accounts show up in the EE Users query. I've tried a second LDAP server, and I've tried synching a small group of 20 users, but the same users show up in the EE Users report, and the rest can't login to the my computers.

       

      Anyone seen this behavior before?

        • 1. Re: EE LDAP Server User/Group Sync failing despite reporting complete

          On which version of EEPC is this happening?

          • 2. Re: EE LDAP Server User/Group Sync failing despite reporting complete

            are you sure this is a EEM issue - it sounds like an EPO question?

            • 3. Re: EE LDAP Server User/Group Sync failing despite reporting complete

              Well gents.

               

              We're using the following

               

              EPO 4.5 Patch 1

              Default McAfee 4.5 agent that ships with EPO 4.5

              EEPC 6.0.1

               

              I'm not exactly sure which product is the culprit, but I do know that when I add users in the Encrypted Users component, I can browse the AD forest with no problem. I can add individual users, but when I add a large group to an individual computer, then I'm warned about adding a large number of users.

               

               

              My predicament is this...

               

              I have 1000 mobile devices that are shared by 1500 users. If I choose to associate a user with a computer, then the administrative upkeep is going to be a nightmare, and we've only got a small staff servicing this mobile fleet. So, the plan was to take their global group, assign it to the mobiles, and let any user login to any mobile, since they swap devices on a regular basis.

               

               

              So, I did some thinking about this, and if the safeboot (EEPC) client stores the users on the hard disk, then surely, there must be a limitation to the number of users it can store?? No one at McAfee Support appears to know this limit, and they are engaging me to add groups to individual computers as a workaround, which in my situation is unacceptable. Again, it would be an admin nightmare configuring all 1000 mobile devices. Surely, I'm not the only organization to do this.

               

              So, my ticket is in 2nd Level McAfee Support, and I'm reaching out to this forum, because I want a plan B if you will.

               

              Thoughts? Suggestions? Any troubleshooting tricks I can try to determine if this is an EPO or EEPC issue?  Any scripts or hotfixes or patches that I might not be aware of that address this issue?

               

               

              Message was edited by: BionicSecurityEngineer on 7/13/10 7:38:26 AM CDT
              • 4. Re: EE LDAP Server User/Group Sync failing despite reporting complete

                The limit is around 350 in default guise, you can expand this though - this is documented in the manuals under the pre-boot size.

                 

                Assigning everyone to everything is a fools errand, not only will it drive your network down, machines will probably never activate as it will take forever to get the policy.

                 

                There's an option "add local domain users" which will mean that every domain user who has a roaming profile on the machine will be added as a pre-boot user automatically, that gets you in a position that people who HAVE used the machine can still use it, but, there's no solution to the "Everyone everywhere" problem.

                 

                Think about it - do you really want to replicate your domain controller onto every machine?

                • 5. Re: EE LDAP Server User/Group Sync failing despite reporting complete

                  I'm going to try to drill down group assignments to get under the 350 user mark and keep the costs down. I think we can seed some some smaller groups, by breaking up the mobiles by their assigned division, and then rely on the users being transferred in AD to maintain their ability to login without delays.