Endpoint Protection

In SEPM 11.0 MR4 MP2 , Security Status reports that a computer that no longer exists (including in AD--for a month) hasn't run a scan (also for a month!). And I have 2 duplicate clients from a machine that has recently had a NIC transfusion and OS reinstall. In my case, since I imported the the entire AD hierarchy, and therefore have User OUs as well as Computer OUs in SEPM, the 2 duplicates show up as Users. So they can't be cleared by running the workaround script because the duplicates are not in Default Group.

After upgrading in place to SEPM 11.0 RU5, all 3 problems remain. SEP clients remain for the moment at SEP 11.0 MR4 MP2.

Will these problems eventually clear themselves? Or will I need to delete the imported OUs and start over (again).

Hi Jeff,

I think the link will be crucial to resolve your issue, as it specific to remove the duplicate entries in the SEPM database:
http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=CleanClients

Best,
Aniket

I'll try it...my understanding was that this only worked if the duplicates were in Default Group, but maybe that's wrong.

And am I correct that this issue will not re-occur with RU5?

The documentation does say this clears duplicates in Default Group. See my original post; they're not in Default Group. If you're not aware of this, if imported AD includes user OUs, and users in those OUs log on to an affected computer, User objects appear in SEPM in the User OU instead of appearing as duplicate Computer objects in Default Group. The script does not handle these.

Tried the script anyway on your recommendation and bumped SEPM for good luck. Didn't work: They're still there.

I don't see any script there.

When I enter that URL in a browser, all I see is:

If you are running SEP with a MSSQL database then tech support can provide you with SQL scripts to detect and remove duplicates.

You're experiencing the exact reason we stopped using the AD interface - too much hassle if someone changes a piece of hardware on a computer.  To us it's less of a hassle to manually manage groups.

I am not using an SQL database.  It has the standard emedded database.

@NetUser, the cryptic output you received means the script ran successfully. And the duplicate in Default Group should be gone. If the duplicate was NOT in Default Group, however, the script won't help.

@d-doug...I hear that! I'm still running my company's small, simple SEP installation with AD Groups, essentially as a lab system so I know when Symantec has finally fixed it. But my clients' sites are all on SEPM Groups now. However, if you use this technique, you don't have to give up the administrative benefits of AD integration:

https://www-secure.symantec.com/connect/articles/startup-scripts-and-sylinkdrop-better-together

HTH

The Up grade to MR5 should resolve this

No it doesn't.

Yes, Kavin, it should. But it doesn't.

Hi

I tried to ask support about this script, they have never heard about it :-))

Do you have this script and can you share it?

I'm running the IE linie every second day manualy, which is a pain in the ***....