2 Replies Latest reply on Sep 11, 2012 8:10 AM by petersimmons

    Filtering Workstations By Security Group



      I'm currently updating our antivirus across the board via deployment using Epo 4.5 and I want to do a tiered approach to deploying out the new version.


      Is there a way to seperate out workstations in System tree by using existing Active directory security groups ?


      Splitting the workstations out by OU is unfortunately not an option.


      Thanks !

        • 1. Re: Filtering Workstations By Security Group

          Don't think this is possible using only ePO, but can be done with a little detour using GPO's and custom properties.


          1. Create a GPO and give only the target Security Group read access
          2. Add the following registry setting to the GPO:
            • Key (for x64 system):
              HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent\CustomProps
            • Value:
              Name = "CustomProps1" (or 2, 3, 4)
              Data = "<your group name>"
          3. Wait for (or run) a GPUpdate on the systems
          4. Send an agent wakeup


          The custom properties should now be visible in the ePO console and can be used in queries. You can run these queries on scheduled times to tag your systems, and use the tags to deploy your software updates.

          • 2. Re: Filtering Workstations By Security Group

            Should you be running ePO version 4.6, it is a trivial action to write a query showing machines with the tag "Workstation", then you can select some or all and then use the "Run Task Now" which has the installation task you created. Run Task Now is new for 4.6 and it is one of the small yet really important features in 4.6.


            If you are running ePO 4.5 you can create a task at the highest level to install/update the software but set it to run only for machines with certain tags. The Workstation tag is automatically maintained by the system.


            And in all versions you can synchronize parts of ePO with AD which will [optionally] pull in the group structure.


            There are lots of ways to do what you want.