(imported topic written by murtasma91)
How often are group memberships evaluated by clients? I have several automatic groups setup that had membership properties changed early this morning. I have not see any additonal clients added/removed to the automatic gorup since the change was put in place. Is there an action I can push out to have clients evaulate group memberships again?
(imported comment written by SY57_Jim_Montgomery)
In my experience a new client evaluates group memberships usually 30-45 minutes after install, but I’m on a pretty big network and we have tons of actions and policies in the action site for him to look through.
Groups operate a LOT like fixlets, so it’s my opinion that however long it takes a client to cycle through all the fixlet content that he’s subscribed to will be the maximum amount of time before he may change group membership.
For me, that’s somewhere between 30 and 90 minutes, usually.
–Jim
(imported comment written by murtasma91)
What happens when you modify the relevance for a group? If a client evaulates a group and discovers it’s not a member of the group will it ever try again in the future?
(imported comment written by SY57_Jim_Montgomery)
Yeah, its just like a fixlet. When you modify the relevance, the group definition is published to the actionsite, the client sycnhronizes the content (eventually, when he realizes its changed) and then he eventually gets around to re-evaluating the group membership.
For example, my organization places a certain registry key on all our computers to help keep track of which department manages them. We have about 15 automatic groups that just query that key and look for their specific value (Dept A, or Dept B for example). The client evaluates the group and sees, oh yes, I have Dept A, therefore I’m relevant to this group, therefore I’m in the Group.
When we change the registry key, eventually (30-90 mintues) the client switches which group he is in.
–Jim
(imported comment written by MrFixit)
To help with the group updates I’ve moved most of my automatic groups to a customsite along with other partitioning of content and then I use the action command “Notify Client ForceRefresh” in a task to get everything in that specific customsite to get re-processed right away. So if I make a change that I want to get updated ASAP I will issue that task targeting those systems that need to process that more immediately. What I see from the debug log is that the client will immediately start a re-evaluation of the complete site contents and report those results.
This doesn’t appear to help in those situations when you have a AD / OU change and your groups are based on AD info since that is cached. I’m interested if anyone has a way to trigger the client to update that cache. I’ve thought about trying to change the poll value and then change back to default and see if that would cause it to re-evaluate but haven’t had time to pursue.
Knowledge base articles with more info:
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=556
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=313
I have found that the “Notify Client ForceRefresh” will also work for Analyses / Properties to get updates right away instead of waiting for the time required to pass for those set for a long duration … like 1 week or 30 days. This has allowed us to move more of analyses properties to evaluate at periods greater than 1hr and most are > 1 day, reducing the overall client loop time.
(imported comment written by murtasma91)
Hi MrFixit I think your Client Refresh action would really help us with operator delegation. We appear to have a similar delegation model in our envrioment.
For the action do you just take a custom action against machines with the following action script?
Notify Client ForceRefresh
(imported comment written by MrFixit)
Right.
I suggest you turn on the debug logging and do you own testing.
Also, I do not let all of the operators at these tasks only my level 2 and level 3 support people have them.