An overview of the Active Directory integration functionality in Symantec Endpoint Protection 11.0
Active Directory Integration
As an optional feature, the Symantec Endpoint Protection Manager can be integrated with the Active Directory. The Symantec Endpoint Protection Manager can import the organizational unit and the account data and synchronize that data with the Active Directory automatically. The administrator can then use the existing organizational unit as a unit to assign the group policy to, just as with a group.
An Organizational Unit is treated as a special type of group because the imported organizational unit and the accounts in that unit cannot be modified. However, the organizational unit along with its data can be deleted as a whole by the administrator. Groups cannot be created under the Organizational Unit. The parent of an Organizational Unit can be the Group or the Organizational Unit. The administrator can select accounts from an Organizational Unit and move them to a specified group, for example, the administrator can create a group for remote users, move all of the remote users from their current organizational unit to a newly created group and assign a group policy that is tailored for the remote users in that group.
Note: The same user may exist in both the group and the organizational unit. In this situation, the priority of the group is higher than that of the organizational unit. For example, assuming both a remote group and an engineering organizational unit contain the “james” user account, then, the “james” user account will use the group policy of the remote group.
Synchronization with Active Directory
Imported Organizational Units are read only. Data in the Organizational Unit cannot be changed manually. The sub Organizational Units cannot be deleted. However, the Organizational Unit root as a whole can be deleted from the system manually because this does not take place when synchronized. The administrator must decide which Organizational Units are imported and if any of the existing Organizational Units need to be deleted. Only the Organizational Unit's data is synchronized with Active Directory. The interval time of synchronization is set in the server panel. For example, if an Organizational Unit or user is deleted from the HQ Organizational Unit, then that unit will not be deleted during a synchronization. However, that user will be deleted from their imported Organizational Unit in the Symantec Endpoint Protection Manager after a while. The latency is dependent on the interval time of synchronization. Users in the group that were copied from the Organizational Unit will not be synchronized automatically. For example, a user "james" is in the Engineering Organizational Unit and is copied into the Remote Users group. If "james" is removed from the Active Directory server, then the user "james" in the imported Organizational Unit will also be deleted, but it will not be deleted from the Remote Users group automatically. In some instances, when the clients register before an Active Directory synchronization takes place, they will register to the temporary group. During the process of Active Directory synchronization, the clients will need to be moved to the correct group.
Adding Organizational Units into Symantec Endpoint Protection Manager
- Before an Organizational Unit can be imported, a Directory Server in "Server Properties" must be added:
- If there are child domains and nested child domains a Directory Server for each of those domains will need to be added as well.
- Once the Directory Server(s) has been added, an Organizational Unit on any Group level can be imported:
- Select the Organizational Unit of choice:
- To select Organizational Units from a child domain use the "Domain" pull down menu to change to additional domains.
- Once imported, the Organizational Unit will appear as a group:
Moving Users and Computers
The admin can select one or more users and/or computers from a group and move those selected users and computers to another group.
If the selected user or computer is in an Organizational Unit, the move means Copy. The selected user/computer will be moved to the destination group, and that user/computer criteria will be kept in the Organizational Unit.
Note: If the client is in Computer-based mode, moving the computer name of the client to another group will force the client to switch to the new group and get the new profile of that group.
If the agent is in User-based mode, moving the login user name of the client to another group will cause the client to switch to the new group and get the new profile.
Priority of Group and Organizational Unit
The Organizational Unit structure and all of the accounts in that Organizational Unit can be imported from and synchronized with Active Directory. An Organizational Unit will be placed in the group as an element of the group just as a computer or user account. An Organizational Unit can be considered as a special type of group. Group Policy Profiles can be applied to the Organizational Unit. The name of the Organizational Unit and the computer/user account within that unit cannot be modified. The computer/user account in the Organizational Unit can be copied into only one group. (Duplicating a computer/user account is not allowed in the groups). The computer/user account may exist in a group and in an Organizational Unit at the same time. Since the group has a higher priority than the Organizational Unit, the client will use the profile of the group instead of the Organizational Unit if the computer or login user of the agent exists in both the group and the Organizational Unit.
Note: Temporary Group has lower priority than Organizational Unit. This is an exception.
This document is available in the following languages:
- Brazilian-Portuguese: http://www.symantec.com/business/support/index?page=content&id=TECH102546&locale=pt_BR
- French: http://www.symantec.com/business/support/index?page=content&id=TECH102546&locale=fr_FR
- German: http://www.symantec.com/business/support/index?page=content&id=TECH102546&locale=de_DE
- Italian: http://www.symantec.com/business/support/index?page=content&id=TECH102546&locale=it_IT
- Spanish: http://www.symantec.com/business/support/index?page=content&id=TECH102546&locale=es_ES