Is there any way to check endpoints (active or inactive) vs domain AD Computers? Looking to make a quick and efficient way to remove any endpoints that are not currently in active directory. This relies on AD being 100% up to date (which it unfortunately isn’t) but it is a start to a project to clean up BigFix and AD.
There is an Active Directory Path property in BigFix which reports where the Computer thinks it is in AD.
You can use this property to identify devices not currently in Active Directory.
I’m relatively new to the entire Bigfix infrastructure - I just started with my current position a few weeks ago and am still trying to learn some of the basics.
We have it set for devices to be removed after 90 days of inactivity. I’m just looking to create a custom action that will remove devices no longer in AD.
When a device is removed from AD - it’s generally offline from the network. So while the AD Path property is handy, it won’t report that it’s lacking an AD path because it’s offline, correct?
If there’s something I’m missing let me know - don’t be afraid to sound condescending, I’m a complete beginner.
So to be clear – you have deleted the computer out of AD.
Per your statement, “I’m just looking to create a custom action that will remove devices no longer in AD.”
Which of the following describes what you mean when you say, “remove devices”?
- Remove the computer’s domain join so its local only
- Delete the IBM BigFix Agent off the device
- Remove the computer from the BigFix Console
When you say, “it’s generally offline from the network” do you mean its on some other network like someone’s wifi or its in a box and powered off?
I want to remove the device entry from the bigfix database - delete the object from the IBM Bigfix Console.
We have a high turnover for devices - so when they become end of life they are removed from AD and disconnected\recycled. To my understanding, the device has to be online for to report that it no longer has an OU path in AD - so if it hasn’t reported that it doesn’t, the last reported OU will remain in the console entry.
Sorry if I’m not being clear
So actions run on clients not on the server so you wont be able to use an action to do this.
You’d probably want to use the REST API (https://developer.bigfix.com/rest-api/api/computer.html), identify which computer id you want to delete and do an HTTP REST Call:
DELETE api/computer/{computer id}
That’s a good point - something that skipped my mind earlier when I was thinking of this.
I’ll have to think of some other way to do it. So far I just did an AD pull and did a comparison to a bigfix pull, but there’s lots of discrepancies and 1 by 1 seems to be tedious…
Well I think ideally you’d write a script which checks for devices in the AD recycle bin, locates their Distinguished Name, compares that to the Active Directory Path property in BigFix and does that rest call for each one in the AD recycle bin.