Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 4093 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise Console bug - Discovery using Active Directory

Speedy

I think I have a bug to squash here.  We are migrating all our McAfee endpoints to Sohos endpoints.  Part of this process is performing a discovery using Active Directory (not the import function).  Once discovered, we then moved computers from the unassigned container to a new container we deemed each machine to be associated (all below a parent container called ORG) with and decided NOT to push out any Sophos installs until we had most of the computers in their appropriate containers. 

We then began pushing out Protection to about half of the systems only to find out that many of the machines should have been deleted from AD before the discovery so we started cleaning up Active Directory.  Once AD was clean, we decided to delete all the "unmanaged computers" in SEC both in the unassigned container and the top level ORG container in favor of re-doing a SEC AD discovery.

What happened resulted in a bunch of duplicate computernames.  I now have unmanaged computers in my unassigned container and in my ORG containers with the same computer name.  It appears as though SEC kept the list of unmanaged computers and upon discovery added them back in the ORG container that they were deleted AND added them to the unassigned container.

:34233


This thread was automatically locked due to age.
Parents
  • 0

    HI,

    When you delete computer records in SEC it only hides the computers by setting the deleted flag in the computersanddeletedcomputers table in the database.  This is so that when you delete a computer, the history for that computer still shows up in reports for the time period when the computer was 'alive'.

    I can only think that when the endpoint was protected, the remote management system (RMS) messaged back with different information about the client (compuer name, domain name) than was previously found with the AD discovery, so when RMS reported back the computer informaiton the management service tried to determine if it should update/bring to life the existing record or create a new record, in this case it chose to create a new record as there must have been something different.

    So you could "delete" the unmanaged records now that you have the managed record.  If you do another AD import does that revive the umnanaged record again?  

    If so you could use PurgeDB.exe (http://www.sophos.com/en-us/support/knowledgebase/109884.aspx)

    purgedb -action=delete -category=computers -HistoryLengthInDays=1

    This will delete any computer which hasn't messaged in within the last day for example.

    Regards,

    Jak

    :34247
Reply
  • 0

    HI,

    When you delete computer records in SEC it only hides the computers by setting the deleted flag in the computersanddeletedcomputers table in the database.  This is so that when you delete a computer, the history for that computer still shows up in reports for the time period when the computer was 'alive'.

    I can only think that when the endpoint was protected, the remote management system (RMS) messaged back with different information about the client (compuer name, domain name) than was previously found with the AD discovery, so when RMS reported back the computer informaiton the management service tried to determine if it should update/bring to life the existing record or create a new record, in this case it chose to create a new record as there must have been something different.

    So you could "delete" the unmanaged records now that you have the managed record.  If you do another AD import does that revive the umnanaged record again?  

    If so you could use PurgeDB.exe (http://www.sophos.com/en-us/support/knowledgebase/109884.aspx)

    purgedb -action=delete -category=computers -HistoryLengthInDays=1

    This will delete any computer which hasn't messaged in within the last day for example.

    Regards,

    Jak

    :34247
Children
No Data