Custom Relevance Statement issue

Trying to nail down some custom relevance statements for Automatic Computer Group assignment for the purpose of Patching Organization and automatic subscription.

Right now I have a computer Group for “Windows 7 Workstation Patches” and I want all the machines in an AD OU containing “Bigfix-Staging” AND OS containing “Win7” to automatically join this group.

My current custom relevance statement is as follows:

exists true whose (distinguished name of local computer of active directory contains "bigfix") AND exists true whose (if true then (exists (operating system) whose (it as string contains "win7")) else false)

I tried this in the Fixlet Debugger (single clause relevance section) and receive no errors but my output is False. I also have a machine in that OU with Win7 OS and it is not joining the group automatically so I can only assume the relevance is not working properly.

Relevance is a stickler for capitalization. Try this:

exists true whose (distinguished name of local computer of active directory as lowercase contains "bigfix") AND exists true whose (if true then (exists operating system whose (name of it as lowercase contains "win7")) else false)
1 Like

Cool will give that a go. Just so I am understanding fully - when using the Fixlet Debugger for Relevance Checker, if it turns back an output of False, what is it running that against? The computer I am running the app on?

Yes it uses the inspectors on the PC you’re currently using.

Okay, kind of thought that but just wanted to make sure.

Interesting, so to test the output I made sure the laptop I am running the debugger on has an OS containing “Win7” and I just put the computer object in the “BigFix Staging” OU referenced in the relevance statement. Ran gpupdate, logged off, reopened the Debugger, ran the above relevance and the resulted Output is False.

So when you asked if it’s querying the local client, I misunderstood. By default, it doesn’t evaluate against the local client software. The debugger evaluates as if it is the client itself but there are certain things it’s not capable of doing. You need to tell the debugger to query the client directly by selecting “Debug” > “Evaluate Using” > “Local Client Evaluator”

Sorry, yeah I should have mentioned, I tried using Client Evaluation and still coming up False.

Make the debugger menu > debug > evaluate using > is set to local client evaluator and default is its own library

On your client, does “distinguished name of local computer of active directory” bring up the correct result?

Sorry, yeah I should have mentioned, I tried using Client Evaluation and still coming up False.

So maybe it has to do with the overall properties I’m trying to call? In my relevance statement:

(distinguished name of local computer of active directory as lowercase contains "bigfix")

I want this to be calling for an OU or Active Directory path whose name contains “bigfix”. It appears to me that it might be calling for a name of a computer whose name contains “bigfix”?

When I run the debugger on the client and just run it against the distinguished name string, it results in a Fail, but my laptop doesn’t “bigfix” in it’s name so if that is what it’s looking for, I understand why it’s failing. However it is in an OU with a name containing “bigfix”. If that makes sense?

That string of relevance shows the DN path of the client in the AD tree.

CN=ComputerName,OU=BigFix Staging,DC=domain

Your relevance should pick up the “BigFix” in the OU path I detailed above. If your inspector is not finding the AD path, try rebooting the machine and trying again.

Alright - after reboot, got an Output of True

exists true whose (distinguished name of local computer of active directory as lowercase contains "bigfix staging") AND exists true whose (if true then (exists operating system whose (name of it as lowercase contains "win7")) else false)

Actual OU I want this to reference in Active directory is "BigFix Staging"
Actual OS contains “Win7”

I plan on doing this for Win2012r2 as well. Should be straight forward. I guess now I just wait for the laptop that is in that OU to report into the BigFix Console and Automatic Group.

Thanks for the help @jmaple

could you hint me what is the sense of this construction ?
from my point of view it always avaluates then clause (exists operating system whose (name of it as lowercase contains “win7”))
why not diretly put this as whose condition ?

This is an overly complicated relevance generated by some sort of IBM wizard or dashboard.

You are correct that there isn’t much sense to the construction. I believe it is used primarily to suppress errors.

In general this is why I don’t use automatically generated relevance because it is quite poor.