I need some best practice advice.
I have 5 system tree groups, all of which syncs in computers and users from different places in AD (mirroring our different sites). All sync groups are set up with the '
Now i've created a new system tree group for decryption, and added the needed disabled policy for decryption to work. The decryption kicks in just fine. However, when my AD sync jobs run, the computers are moved back to their site system tree group because of the '
How do you suggest i set this up, so that the clients which are manually moved to my decrypt group stays there - even after the AD sync is run - without utilizing the other sync settings.
I'd rather not use AD OU synchronization for the decrypt system tree group, as i'd then have major hazzle modifying WSUS settings, SCCM collection settings and GPO inheritance.
Another note on my setup.
Our ePO AD sync job is set up to run hourly because of our imaging process. We use SCCM for imaging computers, and install the McAfee Agent and EEPC software as part of the imaging process. When the McAfee Agent and EEPC software is installed, the computer ends up in the top group in the ePO system tree, and we then rely on the AD sync to quickly move the computer to the correct site system tree group in order to get the correct user database assigned to the computer.