Endpoint Protection

 View Only
  • 1.  Remove Active Directory sync completely from SEPM 14

    Posted Dec 02, 2021 03:02 PM

    For several different reasons, we need to break the connection permanently between SEPM and Active Directory. We want to be able to delete computers at will, move them around, etc. without having to do it thru Active Directory. Also, there are different administrators that maintain AD and others that maintain SEPM, so we as SEPM admins are being granted full control of the environment.

    So, I have removed all instances that I could find from SEPM that link our directory servers.

    - Click the server under "Admin-Servers"
    - Click "Edit the server properties"
    - Select the "Directory Servers" tab
    - Click on the directory serve name
    - Click "Delete", "Yes", then "OK"

    I have also gone into my administrators account, on the "Authentication" tab, and changed it from "Directory Authentication" to "SEPM Authentication". I am able to change my password manually now.

    The problem is that SEPM "appears" to still be synced with AD. Meaning, we cannot right-click on any computer or group and select "Delete", "Rename", "Move", etc. , just like it was when we have the Active Directory information configured. So, even though it appears that SEPM is no longer configured/integrated with AD, we cannot manage SEPM like we want to. Plus, if you right-click on a group and select "Sync Now", you get a warning message stating "The directory from which one or more organizational units have been imported does not exist. Ensure that the directory server exists, and then import the organizational units before trying to synchronize".

    So, what is wrong? Did we miss something? Why does SEPM still think that it is integrated with AD? I have scoured Broadcom's support site, Google searches, etc. and I can't find any documentation that is specifically written on how to remove Active Directory integration, nor how to fix issues like this.

    FYI...We are running version 14.3 RU2 build 4615.

    Thank you in advance for your help!


  • 2.  RE: Remove Active Directory sync completely from SEPM 14

    Broadcom Employee
    Posted Dec 03, 2021 04:17 PM

    Hi Larry,

    I believe you would need to do the following:

    You would need to keep the settings and Sync on.

    You would then need to create a new group structure from scratch.  

    Copy clients to new groups.

    Then delete the top-level imported OU and it should kill the sync.

    Other than that you would have to start over with your environment.

    John Owens
    Strategic Support Engineer | Symantec Endpoint Security Division (SES)
    Broadcom Software