Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 1614 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Computers randomly being removed from device control groups

Paducah DOE

We use SEC 5.4.1 and have for a while. We have multiple groups set up for Device Control and have had few issues until recently. Now we are seeing random computers just disappearing from the DC groups and we do not understand how or why. We do not have any AD groups related to device control, just the groups set up in SEC. AD synch is on, but I do not see how that could cause a computer to just disappear from the DC group. The computers in question do not show as having an error, they are just moved back to the main group and the main DC policy applied. Needless to say we have some less than happy end users when this happens. Any idea as to what is going on? Is it an AD thing or do we have a problem with SEC and/or the DC groups?



This thread was automatically locked due to age.
  • 0

    Hello Paducah DOE,

    if I understand correctly then

    • the main group has a green folder symbol
    • the DC groups are elsewhere and (more or less) yellow
    • you move the computer from a green to a yellow group and it pops back to the green one

    If so, that is what AD Sync does - it places the applicable computers in the appropriate group of the mirrored AD OU-structure.

    Christian

  • 0 in reply to QC

    Thanks for the fast response. I am not understanding what you mean by the green and yellow symbols. Here's a snip of what I see in the group structure.

    We locate the computer in the root group and drag to whatever DC group we want it in. And sometimes, for no reason, the next day it is gone from the group and we do not know why. Is our SEC group structure at fault? If I understand correctly, we need AD synch in order to push updates and such to the appropriate groups. But that might be a different issue for a different day.

  • 0 in reply to Paducah DOE

    Hello Paducah DOE,

    thanks for the screenshot - apparently you are not using what is called AD sync for short.

    Allow me some general remarks first:
    push updates
    you don't push updates - SEC/SUM maintains one or more update locations, endpoints access their update location and download and apply the changes since the last download.
    we need AD synch
    short answer - you don't. It's not clear though what you mean by AD synch. Are you perhaps referring to DiscoverImport from AD?

    Computers don't change their group on their own. And I fear I don't quite understand what the main group or the root group is and which of the groups are "mirrors" of the AD containers. Computers move (actually or apparently) in the following cases:

    1. AD Sync (the actual AD Sync) - I described this in the previous post
    2. AD Import - you import groups and computers from AD, create subgroups and move some computers to the new groups. Next time you Import from AD the computers in the subgroups are moved back to parent group
    3. A computer is reinstalled calling setup.exe from the command line using the -Grouppath switch (I'd rule this out in your case)
    4. Certain workflows with a, let's say, unfortunate sequence of actions like installing, deriving from an image, individualising, joining can cause seemingly chaotic behaviour (I'd rule this out as well)

     I'd tend to 2.

    Christian 

Unfiltered HTML