does not make sense for security management, you can create your System Tree in a text file
and import it into your System Tree. If you have a smaller network, you can create your System
Tree by hand and import each system manually.
Best practices
While you won’t use all of the System Tree creation methods, you also probably won’t use just
one. In many cases, the combination of methods you choose balances ease of creation with
the need for additional structure to make policy management efficient.
For example, you might create the System Tree in two phases. First, you can create 90% of
the System Tree structure by importing whole NT domains or Active Directory containers into
groups. Then, you can manually create subgroups to classify systems together that may have
similar anti-virus or security policy requirements. In this scenario, you could use tags, and
tag-based sorting criteria on these subgroups to ensure they end up in the desired groups
automatically.
If you want all or part of your System Tree to mirror the Active Directory structure, you can
import and regularly synchronize the System Tree to Active Directory.
If one NT domain is very large or spans several geographic areas, you can create subgroups
and point the systems in each to a separate distributed repository for efficient updating. Or,
you can create smaller functional groupings, such as for different operating system types or
business functions, to manage unique policies. In this scenario, you could also use tags and
tag-based sorting criteria to ensure the systems stay in the group.
If your organization’s IP address information coincides with your security management needs,
consider assigning IP address sorting criteria to these groups before agent distribution, to ensure
that when agents check into the server for the first time, the systems are automatically placed
in the correct location. If you are implementing tags in your environment, you can also use tags
as sorting criteria for groups, or even a combination of IP address and tag sorting criteria.
Although you can create a detailed System Tree with many levels of groups. McAfee recommends
that you create only as much structure as is useful. In large networks, it is not uncommon to
have hundreds or thousands of systems in the same container. Assigning policies in fewer places
is easier than having to maintain an elaborate System Tree.
Although you can add all systems into one group in the System Tree, such a flat list makes
setting different policies for different systems very difficult, especially for large networks.
Tasks
Creating groups manually
Adding systems manually to an existing group
Importing systems from a text file
Sorting systems into criteria-based groups
Importing Active Directory containers
Importing NT domains to an existing group
Synchronizing the System Tree on a schedule
Updating the synchronized group with an NT domain manually
Creating groups manually
Use this task to create groups manually. You can populate these groups with systems by typing
NetBIOS names for individual systems or by importing systems directly from your network.
Organizing Systems for Management
Creating and populating groups
McAfee ePolicy Orchestrator 4.0.2 Product Guide
52