Hi All,
Does anyone know why some computer’s Summary under “Active Directory Security Group” showing “None”
The user logged in to the computers clearly belonged to multiple Security Group.
Yet BigFix is showing “None”
We have about 50% of the client showing “None”.
I’m pulling what remaining hair I have and still unable to find out why it is happening.
That “active directory security groups” appears to be a custom property.
Can you post the relevance and Evaluation period you are using? It can be found under Tools -> manage properties
There are 2 “Active Directory Security Groups” in the managed properties.
Both relevance are exactly the same except the evaluation preiod. one is set for every 1 hour and the other is set every report.
relevance:
“unique values of values of components whose (type of it=“CN”) of distinguished names (distinguished names of (groups of local computer of active directory;groups of local users of active directory))”
The odd thing is, I have 4 users in the AD Group for testing, only 2 computers populated in to the BigFix group.
For these 2 that show up, BigFix console showing each of the 2 users logged in to 2 computers, but only one of which show up when it should be at least 4 show up in the BigFix group.
It looks like those computer’s summary showing “None”, see my screenshot first post, are the ones that won’t show up.
appreciate your help.
Computers showing multiple AD groups under “Active Directory Security Groups” in Summary are working.
What could’ve caused some computers showing “None” under Active Directory Security Groups ?
Just to narrow down the cases, are the Computers themselves a member of any groups?
It’d be useful to see whether there is an issue with the Computer’s groups, the logged-on User’s groups, or both.
Computers belongs to the “Domain Computers” group, as all our computers are.
The users are added to the security Group.which should pull any computers they logged-in to in the BigFix group. (minus the filtered relevance).
I tried to make it simply to troubleshoot. I only have 1 relevance setup on the BF group.
what is driving me crazy is,… It does pulled 2 computers out of the 4 users’ logged on computers.
I verified all the users are logged on and BigFix is showing the computers are reporting on the console. just not populating in to the BigFix group as the other 2 do.
The problem is likely the AD Rrfresh period. By default (and for good reason) it defaults to 12 hours.
This means that the BigFix Client will only query AD for information when it starts and every 12 hours after that.
_BESClient_Inspector_ActiveDirectory_Refresh_Seconds
DO NOT SET THIS VALUE TOO SMALL OR YOUR CLIENT WILL BE STUCK JUST TRYING TO QUERY AD!!
I personally won’t let my Console Operators set it any lower than 4 hours. (14,400 seconds).
I don’t see _BESClient_Inspector_ActiveDirectory_Refresh_Seconds settings set in any of our clients or relays,
So I’m assuming it is taking the default (12 hours).
That is correct. If you want to “Test” of the analysis for the properties is working correctly, the BES Client will refresh the AD information when the BES Client is restarted.
Documentation for the various available settings can be found at https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Config/r_client_set.html
There has been discussion on here about this in the past few months.
The gist was that there was at one time an error whereby a client that failed to gather its AD information would clear the property (instead of just retaining what it already knew about itself).
The thing that was unknown in the discussion was whether that had been fixed.
The problem is, that a machine starting up off the corporate network would fail to connect to a DC and promptly delete its known AD info - leading to the symptoms you see, and the extended refresh period doesn’t help either (but I can well imagine it is a resource hungry inspector).
Do you remember which version of the BES Client was doing this?
Interesting information here from AlanM
This isn’t the the thread I saw, but does note the bug
This is the post I recalled, and agrees with the problems I have had (on more recent version of the client) with the cached information being removed on clients that can’t see a DC when they query AD
The current BigFix and Client version is 10.0.0.133. I don’t remember seeing the issue on 9.5.14,
Thanks TimRice !!
My apology to all for the late update.
I did added the “_BESClient_Inspector_ActiveDirectory_Refresh_Seconds” to some of the problem computers that do not have the settings and seems to worked.
I hesitated because I was trying to find out the difference between the one with “…_Refresh…” vs “…_UserRefresh…”
Any updates on OLDIEMUSER’s issue? We have some of the same problems.
We have Computer Groups built off four(4) AD Security Groups and two work (domain A) and two do not (domain B). I got a report that this worked a month ago.
The Custom Properties for ‘AD Security Groups’ is mixed status from the missing endpoints
or
The express could not be evaluated Windows Error 0x80041010 Invalid Class
Relevance
(version of client >= “6.0.0.0”) AND ((exists true whose (if true then (exists (following texts of firsts “=” of preceding texts of firsts “,” of string values of selects (“DS_MemberOf from DS_Computer where DS_Name='” & computer name & “'”) of wmi “root\directory\ldap”) whose (it as string as lowercase contains “xxxx Dev Group 2” as lowercase)) else false)) OR (exists true whose (if true then (exists (following texts of firsts “=” of preceding texts of firsts “,” of string values of selects (“DS_MemberOf from DS_Computer where DS_Name='” & computer name & “'”) of wmi “root\directory\ldap”) whose (it as string as lowercase contains “xxxx QA Group 2” as lowercase)) else false)) OR (exists true whose (if true then (exists (following texts of firsts “=” of preceding texts of firsts “,” of string values of selects (“DS_MemberOf from DS_Computer where DS_Name='” & computer name & “'”) of wmi “root\directory\ldap”) whose (it as string as lowercase contains “GRP-NonProd Group 2” as lowercase)) else false)) OR (exists true whose (if true then (exists (following texts of firsts “=” of preceding texts of firsts “,” of string values of selects (“DS_MemberOf from DS_Computer where DS_Name='” & computer name & “'”) of wmi “root\directory\ldap”) whose (it as string as lowercase contains “GRPDMZ-NonProd Group 2” as lowercase)) else false)) OR (exists true whose (if true then (exists (computer name) whose (it as string as lowercase contains “hostname1” as lowercase)) else false)) OR (exists true whose (if true then (exists (computer name) whose (it as string as lowercase contains “hostname2” as lowercase)) else false)))
I will have to put in a Support ticket if I can’t figure out where this is broken.
Thanks!
Mark in Miami
