Problem with targeting computers based on users AD Group membership

pldany · April 18, 2016, 10:25am

Hello Guys,

I have a problem with targeting computers based on users AD group membership. I have checked these BigFix logs:

and here is an example:

  <User><Version>1.0</Version><CacheState>2</CacheState><Name>XXXXXX</Name><DistinguishedName>CN=USER NAME,OU=XXX Server Management,OU=XX XXXX Support,DC=XXX,DC=XXX,DC=XX,DC=XXX-XXX,DC=com</DistinguishedName><SampleTime>Mon, 18 Apr 2016 11:14:43 +0100</SampleTime><GroupsErrorMessage>Failed to obtain some or all memberOf groups : Windows Error 0x80072030: There is no such object on the server.: Domain: XXX</GroupsErrorMessage><Domain>XXX</Domain><Groups><Group><Name>Application AD Group Name</Name><DistinguishedName>CN=Application AD Group Name,OU=XXXXXXX,OU=GROUPS,OU=ADMINISTRATION,OU=WINDOWS 8.1,OU=XXXX - XXX,DC=XXX,DC=XXX,DC=XX,DC=XXX-XXX,DC=com</DistinguishedName><SampleTime>Mon, 18 Apr 2016 11:14:43 +0100</SampleTime><Sid>S-1-5-21-1454471165-1409082233-839522115-246416</Sid></Group><Group><Name>Application AD Group Name</Name><DistinguishedName>CN=Application AD Group Name,OU=Domain Applications,OU=XXXX,OU=XXXXXXX,OU=WINDOWS 8.1,OU=XXXX - XX,DC=XXX,DC=XXX,DC=XX,DC=XXX-XXX,DC=com</DistinguishedName><SampleTime>Mon, 18 Apr 2016 11:14:43 +0100</SampleTime></Group></Groups></User>

Have you ever seen this error:

Failed to obtain some or all memberOf groups : Windows Error 0x80072030: There is no such object on the server.: Domain: XXX

My test user is a member of many AD Groups, I have checked it using gpresult -v command, but BigFix seems to have some kind of a problem.

HELP!

jgstew · August 30, 2016, 9:10pm

I don’t understand AD enough to know if this is correct, but this is an attempt at a possible explanation.

I think this could be due to the permissions of the computer object within AD.

I believe BigFix uses the System account to query AD which should get its permissions from the computer object.

If you are running gpresult -v from an AD user account, then it should use the permissions of that user account to do the query.

There is also some difference depending on the direction of the query. It is often easier to query if the user is a member of a specific group than to query what groups the user is a member of.