Hello,
I am trying to create an automatic computer group based on the users in an Active Directory Group. I have this relevance and saw 2 of the 12 users show up on 3 computers, 1 user logged in twice, but now they are going away.
exists names whose ( it = “UserGroup”)of groups of local users of active directory
Am I missing something? All of the users are reporting in as logged in to PCs.
Thanks!
The challenge here is that local users of active directory
just returns users with cached information on the endpoint.
So what is the exact behavior you’re trying to achieve?
A BigFix group that contains computers where the currently logged on user is a member of a specific active directory group?
A BigFix group that contains computers where some previously logged on user is a member of a specific active directory group?
Something else?
Strawgate, We are trying to collect PC names based on active logged in user based on a specific user group.
So the first problem is using local users of active directory
as this just pulls any active directory users cached on the system.
I think you want something more like this:
exists names whose ( it = "UserGroup") of groups of active directory users of users of logged on users
Unfortunately this is not working either. It is odd that I had 3 PCs, 2 users, out of 12 show up then go away.
Try this:
exists groups whose (name of it = "myGroup") of logged on users of active directory
For some reason the method I was trying before doesn’t propagate through to an AD User object.
You’re sure these just aren’t people logging off? They should fall out of the group when nobody is logged-on.
Jason, Yes, I am one of the users and I am still logged in. I am using my teams group as a test and we are all logged in. I have tried logging out and back in and logging into other machines.
Strawgate, I have one PC in there now.
This group will be fluid for a short period of time. We have shared PCs all over and users who do not have an assigned PC that we need to target. So my plan is to leverage the AD group so that the other team can add users as they are to being migrated then removed when finished. I cannot find an easy way to target larg groups of users otherwise.
Looks like this worked, however, it appears to be only if a user logs in and not if they are currently logged in.
You will have to keep in mind that BigFix doesn’t update Active Directory group membership for logged in users very often.
I believe group membership is updated on login, and every 12 hours by default. This means adding a user to a group while the user is logged in will take 12 hours to reflect via relevance (assuming the change has propagated to the domain controller the client is using) https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0023242#:~:text=The%20cache%20will%20be%20updated,update%20in%20your%20BigFix%20Console.
I have Fixlets in C3 Platform Kickstart for adjusting the refresh interval to something more frequent than every 12 hours:
20 Minutes
60 Minutes
240 Minutes
Thank you for this! The test group has been in production for a few years and the users don’t change much. My local PC has not shown up but my test PC that I RDP into did show up and disappeared as I logged out. Just curious why it would need to log in for it to work.
I expected the 12 hours and feel that is fine to capture the users and run the script for the migration. We will probably do it in chunks of a few hundred for a week or so per group.
Another thing to keep in mind is that it’s the BigFix client on the user’s device which check’s the User’s group membership so if the client is offline or unable to contact Active Directory when the user logs in then you wouldn’t see groups for the user.
Unfortunately in our environment “of groups of active directory” doesn’t work very reliably, it seems to be blocked when on VPN and also inside the network it sometimes returns no values.
I wanted to use it to add a bunch of software as offers based on AD group memberships, so that for example Finance users do get all the finance tools in the bigfix self service portal all the time automatically.
What do you think of this workaround:
Create an action that runs periodically when domainusers are logged on:
// Step 1: Ensure the output directory exists
folder create "C:\ProgramData\BIGFIX_Data"
// Step 2: Generate a temporary script to run GPRESULT and capture the output
delete __appendfile
delete run_gpresult.bat
delete "C:\ProgramData\BIGFIX_Data\gpresult.log"
appendfile @echo off
appendfile GPRESULT /R > "C:\ProgramData\BIGFIX_Data\gpresult.log"
move __appendfile run_gpresult.bat
// Step 3: Run the batch file as the currently logged-on user
override wait
runas=currentuser
hidden=true
wait cmd /c run_gpresult.bat
// Step 4: Cleanup the temporary batch file
delete run_gpresult.bat
So then in your other actions of the software which you want to deploy as offer, you can use the relevance to check the existence of a particular group in the log file:
exists file "C:\ProgramData\BIGFIX_Data\gpresult.log"
AND (exists lines whose (it contains "APP_Finance_1_Users") of file "C:\ProgramData\BIGFIX_Data\gpresult.log" OR exists lines whose (it contains "APP_Finance_2_Users") of file "C:\ProgramData\BIGFIX_Data\gpresult.log")
Conceptually it seems ok; since you’re running in user context there might be a better chance of reaching AD or maybe gpresult gives cached results if the Domain isn’t there.
A couple of things worth noting from the ‘Considerations’ at the top of my override post at Tip - Action Override User settings though -
- The logged-on user may not have access to the
__BESData
directory where your run_gpresult.bat is. You might need to copy it to a path the user can read first.
- The logged-on user may not have access to write to the ProgramData directory, so the write might fail; or even worse, you might get the ‘shadowed’ directories where each user account gets their own view. So for one user it looks like the output file is there, and for another user (or LocalSystem) the file is not there. You might want to have the script output some place the user can write, and then after the ‘wait’ command have the actionscript copy it from the user directory over to ProgramData.