We are seeing discrepancies in BigFix for total numbers of system in the console, and their respective Active Directory groups. We have machines in our top level Computers Group, that are not reporting in their proper location via country office.
Any idea how often BigFix validates AD membership, and what it is using to make this determination?
This is a significant number, and we would like to understand and resolve it.
I have located 2 articles related to AD synchronization, but neither help explain the discrepancy we are seeing.
According to the article you linked to, it should update every twelve hours. Did you try running the VBScript that is in the first KB article that you linked to? What does it return?
Another thing you could try on a machine that does not have the correct OU is to run the script under the SYSTEM account to see what it returns. I use “PSEXEC -s” to do this sometimes: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx .
Someone please correct me if I’m wrong, but I believe BigFix uses the Client’s SYSTEM account to query AD. Even if your user account can query AD fine, the SYSTEM account may not be able to. Running the script as SYSTEM on machines that have incorrect AD info could either confirm or deny this.