Computer Group Based on Active Directory User Group

Hello,

I am trying to create an automatic computer group based on the users in an Active Directory Group. I have this relevance and saw 2 of the 12 users show up on 3 computers, 1 user logged in twice, but now they are going away.

exists names whose ( it = “UserGroup”)of groups of local users of active directory

Am I missing something? All of the users are reporting in as logged in to PCs.

Thanks!

The challenge here is that local users of active directory just returns users with cached information on the endpoint.

So what is the exact behavior you’re trying to achieve?

A BigFix group that contains computers where the currently logged on user is a member of a specific active directory group?

A BigFix group that contains computers where some previously logged on user is a member of a specific active directory group?

Something else?

Strawgate, We are trying to collect PC names based on active logged in user based on a specific user group.

So the first problem is using local users of active directory as this just pulls any active directory users cached on the system.

I think you want something more like this:
exists names whose ( it = "UserGroup") of groups of active directory users of users of logged on users

Unfortunately this is not working either. It is odd that I had 3 PCs, 2 users, out of 12 show up then go away.

Try this:

exists groups whose (name of it = "myGroup") of logged on users of active directory

For some reason the method I was trying before doesn’t propagate through to an AD User object.

You’re sure these just aren’t people logging off? They should fall out of the group when nobody is logged-on.

Jason, Yes, I am one of the users and I am still logged in. I am using my teams group as a test and we are all logged in. I have tried logging out and back in and logging into other machines.

Strawgate, I have one PC in there now.

This group will be fluid for a short period of time. We have shared PCs all over and users who do not have an assigned PC that we need to target. So my plan is to leverage the AD group so that the other team can add users as they are to being migrated then removed when finished. I cannot find an easy way to target larg groups of users otherwise.

Looks like this worked, however, it appears to be only if a user logs in and not if they are currently logged in.

You will have to keep in mind that BigFix doesn’t update Active Directory group membership for logged in users very often.

I believe group membership is updated on login, and every 12 hours by default. This means adding a user to a group while the user is logged in will take 12 hours to reflect via relevance (assuming the change has propagated to the domain controller the client is using) https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0023242#:~:text=The%20cache%20will%20be%20updated,update%20in%20your%20BigFix%20Console.

I have Fixlets in C3 Platform Kickstart for adjusting the refresh interval to something more frequent than every 12 hours:

20 Minutes

60 Minutes

240 Minutes

Thank you for this! The test group has been in production for a few years and the users don’t change much. My local PC has not shown up but my test PC that I RDP into did show up and disappeared as I logged out. Just curious why it would need to log in for it to work.

I expected the 12 hours and feel that is fine to capture the users and run the script for the migration. We will probably do it in chunks of a few hundred for a week or so per group.

Another thing to keep in mind is that it’s the BigFix client on the user’s device which check’s the User’s group membership so if the client is offline or unable to contact Active Directory when the user logs in then you wouldn’t see groups for the user.