I have created a group in our domain to place computers in entitled “AD-BIGFIXTEST”. I then added a few active computers that I knew also appeared in BigFix. I then set up an automatic group in Bigfix with the following relevance as true:
(version of client >= “6.0.0.0”) AND (exists true whose (if true then (( ((exists value whose(it as lowercase = “AD-BIGFIXTEST” as lowercase ) of components whose(type of it=“CN”) of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory)) else false))
Even after sending a refresh to the endpoints I am not seeing any show up in the group. Did I go wrong somewhere here? It’s worth mentioning I am sure we have a stable LDAP connection as nearly all login accounts use LDAP authentication.
Not really as doing so could put such a burden on your AD server that it collapses (think 100K or more endpoints suddenly asking for the information all at once)
There is a Client Setting that will adjust how frequently the BES Client polls your AD. As @alan mentions, you need to take care with this setting. The unit for the setting is SECONDS, and be sure to not make your clients refresh more frequently than once every 3-4 hours. You could adversely impact both your AD Domain Controllers as well as your BES Client performance.
The setting you are interested in is … _BESClient_Inspector_ActiveDirectory_Refresh_Seconds
The Active Directory Computer information (For the computer object) updates at the interval set by that client setting you mentioned.
The Active Directory User information (For the logged on user) updates when the user logs in.
It looks like this in the client log:
At 15:10:28 -0500 -
User interface process started for user ‘strawgate’
At 15:10:39 -0500 -
ActiveDirectory: User logged in - Domain: AD User: strawgate
ActiveDirectory: Refreshed User Information - Domain: AD User: strawgate
Thank you all for your assistance! It it refreshes on login we should be okay. Except for those situations where the user is logging in via VPN and has not AD connection on local login.
It should be possible to trigger a Group Policy Update upon VPN connection.
Here is an example that triggers a Symantec AV Definitions update on the managed client upon the connection of the old Cisco VPN: https://bigfix.me/fixlet/details/743
The same concept can be applied to anything that requires VPN access to function and can have an update triggered through the command line, as long as you can figure out some relevance to detect when the VPN connects.
Is there no way to get the automatic actions groups populated from the IBM servers itself, instead of waiting for the client to report back?
Why does the Bigfix server itself does not check with the AD security groups to see what members there are?
The root server doesn’t populate the automatic groups, it is the endpoint that determines if it belongs or not. Everything is endpoint based. You define the relevance on the root, it gets sent out to the endpoints, they evaluate it, then they report their status back to the root and then they show up.