I’m noticing a kind of annoying behavior on 9.5.3 mobile clients.
The BigFix agent caches AD information for users but will overwrite this information whenever the agent samples AD next.
The AD cache gets overwritten regardless of whether or not the new information is valid.
Suppose you had a mobile user who was in the office:
User is in the Office or Connected to VPN
BigFix Agent Queries AD and caches their AD Group Information
User leaves the Office and goes home
BigFix Agent Queries AD and replaces the cached AD Group Information with an error.
The error that gets recorded (and replaces any cached AD info) is: Failed to get attribute "distinguishedName" : Windows Error 0x8007054b: The specified domain either does not exist or could not be contacted. Domain: myDomain
This would mean anything you’ve got targetting a user’s group membership will stop working when they no longer have a direct connection to AD. In addition, the query: groups of logged on user of active directory will report “Singular Expression refers to non-existent object”
My preferred behavior would be that the cache would be untouched in cases of an error like this.
My guess is that this error is being generated by the API the BigFix client is using and it isn’t doing anything to trap the error and just passing it through, which it shouldn’t in this case.
How can I test for the condition where the AD cache has been overwritten and the cache file for the logged on user has the error message:
Failed to get attribute "distinguishedName" : Windows Error 0x8007054b: The specified domain either does not exist or could not be contacted.
It appears that this relevance may work:
concatenation of (unique values of values of components whose (type of it="CN") of distinguished names (distinguished names of (groups of local users of active directory))) != ""
