Create property based on AD attribute called extensionAttribute1

Cristian · July 6, 2017, 1:53pm

Hello,
Would it be possible for BigFix to read the AD attribute called extensionAttribute1 in order to have a property based on it? If yes how? If no, then there is a workaround?

Thank you.

jgstew · July 6, 2017, 1:55pm

Look in the files located here: C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\__Global\ADCache

BigFix can only really report from AD what is in it’s cache.

You should be able to report on the OUs of users and computers. You might be able to report on AD groups, but I don’t remember.

You might be able to run a script that could query AD and tag the machine with the info you need BUT you have to be extremely careful with doing anything that queries something over the network from all of your clients because it can all happen at the same time and you can DDoS yourself. There are ways to try to mitigate this, but caution is still warranted.

Cristian · July 6, 2017, 2:23pm

Looking at that location I see that in the ADObjectLocalComputer.xml file (I need to read the extensionAttribute1 for a device, not for a user) I can only find the DistinguishedName, SampleTime and Domain.

Is there a way to expand that query list in order to include whatever I need (extensionAttribute1 attribute) ?

jgstew · July 6, 2017, 2:30pm

I don’t think there is any way to tell BigFix to cache arbitrary extra info. Also BigFix can only read from AD what the computer has permission to read about itself since it is using the SYSTEM account to do so.

You would need to check if it is even possible for the computer to query that info using just the SYSTEM account. If so, then it would be possible to query it with an action or for BigFix to cache it, but I don’t think there is a way to tell it to do so currently.

It might be the case that BigFix already caches everything it can, but I’d have to look into it. CC: @AlanM

AlanM · July 6, 2017, 6:48pm

We currently only query specific information but have wanted to be able to extend this to cache other elements but that would definitely be an RFE.

Currently only group membership is cached. The queries are done fairly specifically to not bring down AD servers and the bigger the query set the more likely this is an issue as anything the local OS hasn’t requested already will be fetched in real time from the AD server as the cache is updated.

keen · April 27, 2018, 9:35pm

Sorry to restart on an old topic!

But I really need the ability to have certain attributes like EmployeeID sync from the AD.

How can I get it to do that?

Otherwise I need to have GPO run a script, grab the info, write it somewhere and then retrieve from there, which seems cumbersome so far.