I want to create and automatic group based off an active directory OU. However, under the main OU there are about a dozen sub-OU’s that I also want to get systems from. Is there a way to get all systems in OU and all sub-ou’s ? Also can that be filtered far by excluding certain systems based off a ad object property such as description?
I know there is a managed property called Active Directory Path so I am assuming this can be accomplished.
I do this a lot…
( ((exists value whose(it as lowercase = “AD Group Name Here” as lowercase ) of components whose(type of it=“CN”) of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory)
Add it as a relevance Expression for your automatic group.
Sorry, that would be AD Group… Here is for an OU
( ((exists value whose(it as lowercase contains “OU Name” as lowercase ) of components whose(type of it=“OU”) of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory)
This looks great but we have a Dev ou with a sub ou called SQL and a prod ou with a sub ou called SQL. Where you add the OU name can I add OU=SQL,OU=Dev ? Also do know if there is a way to exclude on a AD object property such as description? So if description contains Failover then exclude?
NOT ( ((exists value whose(it as lowercase contains “failover” as lowercase ) of components whose(type of it=“OU”) of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory)
So would I combine the two statements or would it be a separate relevance. Also what about the sub OU issue? I really appreciate your help on this since we never group using AD.
Probably best to do it as one, in case you have other criteria you want to match for the group, that doesn’t fall under the domain check.
You can do the same type of thing for sub…
For example, I’m at a K-12 School system, and our AD has a structure like:
Schools
–Elementary Schools
—ES 1
—ES 2
—ES 3 etc
–Middle Schools
—MS 1
—MS 2
—MS 3 etc
–High Schools
—HS 1
—HS 2
—HS 3 etc
and I’ll want to target all High Schools, so I’ll do
( ((exists value whose(it as lowercase contains “high schools” as lowercase ) of components whose(type of it=“OU”) of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory)
and it’ll hit all sub-OU’s under the High School OU.
say I want to do this but exclude a specific school, It would simply be:
( ((exists value whose(it as lowercase contains “high schools” as lowercase ) of components whose(type of it=“OU”) of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory) AND NOT ( ((exists value whose(it as lowercase contains “hs 2” as lowercase ) of components whose(type of it=“OU”) of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory)
Make sense? Am I understanding your question?
Yes that makes sense. I was just not sure how I would look for a property of AD object such as description. So the second part of the statement above would look at the AD object properties and if it contains failover (even if it is in the description) then it would be excluded.
Oh and one last thing is I have a Dev OU and then a SQL OU under that which is the one I want the Objects from but the catch is I have a Prod OU with a SQL OU under that which would be a different automatic group. Sorry our OU structure is not as organized as I would like to see it.
( ((exists value whose(it as lowercase contains “SQL” as lowercase ) of components whose(type of it=“OU”) of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory) AND ( ((exists value whose(it as lowercase contains “Dev” as lowercase ) of components whose(type of it=“OU”) of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory)
As long as it’s a member of both OU’s, it’s good. So if it’s in the SQL under Prod it wouldn’t be… I assume that’s what you’re going for?
Well what we want is to have two auto groups. So one for SQL under Dev and one for SQL under prod. We do not want to combine them.
So make one with relevance that points to the one above, and make a second that changes the word Dev with Prod.
if I understood the question correctly, if you want the OU and all sub OU’s… in AD, (with advanced features enabled), navigate to the primary OU in question and go to it’s properties. in the attribute editor tab, go to the distinguishedname field and copy that data. in your automatic group, choose the drop down ‘active directory path’ and then 'contain’s, and paste in your OU’s DN.
for the filtering question, use various forms of ‘does not contain’ etc… using either keywords from your OU structure or computer naming convention. there are many ways to accomplish what you’re after, but this is the method I landed on.