9 Replies Latest reply on Aug 8, 2017 9:35 PM by kabi

    how to sync active directory with EPO

    a2wa2

      hello

      I would like to synchronize my active directory with epo but I Don't know what should I do? and the other questions is that when we sync active with epo does it have any impact?for instance,when we delete one endpoint from epo or reverse does it delete from active directory too?

        • 1. Re: how to sync active directory with EPO
          kabi

          In the System Tree module, select a group and click the Group Details tab

          Next to Synchronization type, click Edit

          Synchronization Type

          • Select Active Directory

          Synchronize

          • If your AD OU structure will work for your EPO group structure, select Systems and container structure. This is the easiest method and simplifies the Containers section below.
          • If not, select Systems only

          Systems that exist elsewhere in the System Tree

          • I recommend selecting Move systems from their current System Tree location to the synchronized group

          Active Directory domain

          • Select your registered LDAP server. If you don't have one defined, click Cancel and then open Menu/Configuration/Registered Servers to create it.
          • The other two Active Directory sections will be greyed out

          Containers

          • If you chose to synchronize Systems and container structure, click Add Root and the distinguished name should appear (e.g. DC=mydomain,DC=local). My personal preference is to check the box Exclude empty containers.
          • If you chose to synchronize Systems only, either click Browse to select the container or enter the container's distinguished name and click Add (e.g. ou=Laptops,dc=mydomain,dc=local)

          Exclusions

          • Add any applicable containers or computers. Typically, I've only specified something here when synchronizing Systems and container structure.

          Push Agent

          • I typically don't use this, because you can't have multiple Push settings defined per OS. If you only have Windows systems, this feature works great. Just make sure the account you specify has rights to install software.

          When systems are deleted from the synchronization point

          • I recommend reviewing which products you are using and plan to use, because with some products, deleting a McAfee system object will delete the corresponding product info. For example, deleting a McAfee system object will delete its recovery keys for Drive Encryption and Management of Native Encryption.
          • If you want full automation, select Delete the systems... This will delete the McAfee system object whenever an AD computer is deleted.
          • Note that deleting a McAfee system object will not delete the AD computer object.
          • Personally, I choose Leave the systems... because I want to control when a McAfee system object is deleted and I use DE and MNE.

          Tags

          • Configure as you want. I've never used this.

          Next, click Save.

          Last steps are to create a Server Task which performs the Active Directory/NT Domain Synchronization.

          Depending on your AD environment, the sync can take awhile on its first run. Depending on the frequency of changes in your AD, how accurate you want EPO, and how long the AD sync takes, will help determine the AD sync interval. You'll also want to monitor its impact to your DCs.

          6 of 6 people found this helpful
          • 3. Re: how to sync active directory with EPO
            mark_ph

            Hi Kabi ,

            Thank you for your information.

             

            I need to know something. After i synchroniz AD if i move the systems to other OU the systems on ePO will move too ?

            Thanks.

            • 4. Re: how to sync active directory with EPO
              johnmoe

              You'd need to change the above to:

               

              Synchronize: Systems and container structure

               

              Systems that exist elsewhere in the System Tree: Move systems from their current System Tree location...

              1 of 1 people found this helpful
              • 5. Re: how to sync active directory with EPO
                mark_ph

                Oh, Thank you very much sir.

                • 6. Re: how to sync active directory with EPO
                  Richard Carpenter

                  Hi a2wa2

                   

                  If you are happy with the answers in this thread could you please mark as answered.

                   

                  Thanks

                   

                  Rich

                  Volunteer Moderator - Business Products

                  • 7. Re: how to sync active directory with EPO
                    a2wa2

                    thanks for your help

                    once I sync mcafee with active directory. In another time, Is this sync process operate from the beginning or only changes are applied? I need to know what is the automate daily task do for syncing active directory in automation server task?

                    If I want to keep current changes in epo and avoid moving systems in different OUs,what should I do?

                    because some new systems are entered to my organization and I want to detect new systems automatically from epo and need epo recognize them and deploy agent by itself.then if is it possible,I install virus scan.

                     

                    best regards

                    • 8. Re: how to sync active directory with EPO
                      charaneval

                      Hey  Kabi,

                       

                      First of all  thank you so much for your help by posting this knowledgeable article. 

                       

                      I have question about "Systems that exist elsewhere in the System Tree" option.

                       

                      Let's say for example, i have created a group name ManagedComputers in ePO, where i placed all the managed computers. I didn't have integrated my AD until now, i just did manual installation on these machines so far.

                       

                      Now i want to edit the group setting on ManagedComputers Group to Sync with AD and choose the above option as "Leave systems in their current System Tree Location Only" instead of "Move systems from their current System Tree location to the synchronized group".

                       

                      What happens if i choose "Leave systems in their current System Tree Location Only"? Will it break anything on already existing items in ManagedComputers group?

                       

                      Or will it only import the left over or newly created objects from AD to this group?

                       

                      Best regards

                      Ch

                      • 9. Re: how to sync active directory with EPO
                        kabi

                        Sorry about the delayed response, but if I understand your use case correctly, the managed systems already located in the ManagedComputers group would remain there.