I’ve seen a few machines returning error for actions that are deployed by non-master operators.
The action detail has the following message:
This action was not executed because the operator who created it is not an administrator of this client
The operators are memmbers of a role that has computers assignment by the Computer Type property = Workstations and Server and a second custom property that allows manage an specif group.
The operators can see the machines from console and they are able to deploy the actions.
If I reset the clients they run the actions without problem.
I would like to know if there is any way to identify all machines that are in this state and if there is a better way to fix the problem without resetting them.
We use a Combination of AD OU and Custom Property values to assign computers to Roles and LDAP/AD Groups to associate users with the Roles as CO’s.
I’ve had trouble in the past with all the computers in a Role deciding to stop trusting 1 or 2 Console Operators associated with the Role. The computers still report to the Role correctly, other CO’s can still manage them, they just don’t trust actions from the “CO of the Moment”. My solution has been to remove the Operator from the AD group that adds them to the Role, send a blank action to all the computers in that Role, then add the user back to the AD group, and send a second blank action. I don’t know that the actions are required but it’s one of those cases where you find a solution that works and stick with it.
This only happens to us maybe once a year. It has happened to the same CO quite a few times, but it has happened to others as well.
Our installation has ~43k endpoints with ~200 Console Operators.
I’ve been leaning toward blaming our AD Infrastructure since there have been a few changes in how our accounts are managed, and depending on when an account was created, the Name shows up differently under the Operators section.
Thanks for sharing your experience, I’ll definitely try that. It would be great if someone from IBM could at least give us a reason for that. I don’t have BigFix integrate with any LDAP, but the behavior is the same as described by you.
In our case, Membership in the Automatic Group is dependent upon the value of the Property and/or an AD OU.
In my case it’s one called “Owner” and can be set by each Supporting Group at client install time via ClientSetting.cfg or a Registry Key under Windows.
We also have an Opened Ended Action that looks for a text file in a particular location. The Action pulls the first line from the file and sets the Owner Property to that Value. The Action then renames the text file.