(imported topic written by cstoneba)
I am trying to to create a new BigFix Automatic Group based on membership of AD Security Groups. I have this value that I can create as a setting, but it takes 3000 ms to evaluate. Does anyone have a different way to do it?
string values of selects (“DS_MemberOf from DS_Computer where DS_Name=’” & computer name & “’”) of wmi “root\directory\ldap”
(imported comment written by SystemAdmin)
An easier way to do it is to choose Active Directory Path instead of relevance in the drop-down for creating a group.
Active Directory Path contains “OU=ABC,OU=DEF,DC=GHI,DC=JKL,DC=com”
We use many dynamic groups based on AD OU membership. They work well.
(imported comment written by cstoneba)
the AD Path setting uses Orginizational Units, not AD Security Groups.
(imported comment written by BenKus)
You should be careful about querying AD through wmi like this… it can create excessive load on your AD controllers so please use caution…
Ben
(imported comment written by SystemAdmin)
Has anyone figured this out? We would like to target by AD computer security group membership. We can see the security groups using “gpupdate”, however don’t know how to access the same data via relevance.
(imported comment written by cstoneba)
This is what we are using as a manged property. It seems to work pretty good. As Ben noted, you won’t want it to evaluate very often or it could cause a load on your DCs. We have this property evaluation set to “1 day”.
following texts of firsts “=” of preceding texts of firsts “,” of string values of selects (“DS_MemberOf from DS_Computer where DS_Name=’” & computer name & “’”) of wmi “root\directory\ldap”
(imported comment written by SystemAdmin)
cstoneba - are you still using the relevance? It returns blank for us under XP and Win7 when run in the relevance debugger.
(imported comment written by AndreiShoro)
hi, did you mange to get the computers from the AD security group using automatic groups in TEM?
I am working on a project and I have to create some automatic groups in TEM to be syncronized with AD security groups.
I have tried to do it using the relevance :
((exists value whose(it as lowercase = “
TEST_AD_SG
” as lowercase ) of components whose(type of it=“
CN
”) of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory
I have also created the security group TEST_AD_SG in AD and added some computers which ware online and available in TEM console.
The problem is that not all the computers from AD populated the group created in TEM.
any advices?
Thank you,
Andrei
(imported comment written by AndreiShoro)
It seems after a while ( around 12 hours ) the TEST_AD_SG group from TEM contains all the computers from the AD Security Group.
Is there any way to set a smaller time for the synchronisation?
(imported comment written by jgstew)
This may be due to AD caching that prevents the endpoints from over querying the Domain Controllers for relevance evaluations.
It should be the case if you did this with a security group that an endpoint is already a member of, then it would already be in the cache and it should be faster. Is a 12 hour delay acceptable for new security groups or new endpoints?
and “_BESClient_Inspector_ActiveDirectory_Refresh_Seconds” here:
(imported comment written by AndreiShoro)
thank you for the answer. I will try this …
(imported comment written by AndreiShoro)
using _BESClient_Inspector_ActiveDirectory_Refresh_Seconds = 1200 for the target PC worked fine.
Thank you!