I have an issue where systems aren’t showing up in their Active directory automatic groups due to the property: Active Directory Path .
I’ve looked over a bunch of articles and i believe i know why, but am looking for suggestions on how to get around it. The systems that are having the issues are remote systems, these do not touch the domain controllers. They are joined while at the office and pick up GPO’s etc. But once they leave the office, they never touch the domain controllers again. As far as i can gather the OU cache deletes after sometime. I believe this is what is causing the issue?
What i don’t understand is that TEM has access to AD. Can it not make those associations by what AD lists the computers as belonging to?
Let’s start by clearing up one misconception. The TEM (aka BigFix) Server doesn’t KNOW anything about Active Directory. The BigFix server doesn’t query AD for anything. The BES Clients report information about Active Directory, and the Console displays it as a collapsible tree structure for you.
If your Computers are not connecting to Active Directory on a regular basis, even THEY may not know what Groups they are members of.
The BigFix Client will, by default, only check AD Computer Properties every 12 hours. You can adjust this setting, but setting it too low can have VERY heavy impacts on the BES Client performance (responding to Actions, evaluating properties, etc). I have a group that has been setting the Active Directory Refresh property to 4 hours, and I consider that a little on the low side. I would prefer 6-8 hours, but they insisted on 2 refreshes per Business day.
Unless you can resolve the issue with your Computers not reporting to AD because they are outside the network, there really is not going to be a way for BigFix to make use of any Group Memberships.
You might want to consider Semaphore files. The idea is that rather than relying on AD Groups that the computers themselves are never seeing, you can use BigFix itself to drop Text files in a folder (or add lines to a text file) kept under the BES Client folder (to protect it from nosy users).
The BigFix server actually is capable of querying an LDAP Server. It can import users which are part of a LDAP domain (either AD or generic). However I don’t think it can query information on the computers of a DC. So is not entirely true that the server doesn’t know “anything” about AD.
The only thing a BigFix server does with an LDAP, AD Domain Controller, or SAML source is authenticate user login attempts. It does not gather any information about the structures within the environments.
The general Rule of Thumb with BigFix is that the ONLY component that gathers data for insertion into the BigFix “database” is the BigFix client installed on the Endpoints. There is no way I’m aware of to “insert” other data into the database.
Yes you are right. I thought that at least the user groups hierarchy were imported but I figured out that you can only map one single user to an operator.
For the data you are right if you mean data coming from computers. However other data is “uploaded” to the server (which manage the database) also from the Console, WebReports, WebUI and all clients which make use of the REST API.
That seems really awkward to have 1000’s of clients all pinging the domain controller (Yes i understand the setting to prolong it), then having all of those middleman updating the database. When the server itself should just grab the hierarchy, refreshes going form 12 hours to literal minutes. I’m guessing there is something i’m missing in the equation though as this tools appears to be pretty well thought out and has been around a while.
Guess i will need to find a different way to try and do this automated. I’ll do some more searching… this seems like it should be more common… surely other companies have remote people that never hit back to a domain controller. I’ll look into the semaphore files, but that sounds like more of a manual process with upkeep.
I haven’t seen much usage of active directory properties from my customers…it’s often quite disjointed, with one Bigfix deployment managing systems from several Domains, and machines with no domain at all.