I’m using the below relevance to add computers from a specific security group in AD to an automatic group in Bigfix. However, it’s only picking up the computers in the domain our Bigfix server resides on, even though we have agents in multiple domains.
exists names whose (it = "DevTest") of groups of local computer of active directory
How can I specify the domain in this relevance to find that AD security group in that domain to add the computers to the automatic group? I’m new to writing relevance and did not understand the active directory piece for this.
It may be helpful to know the BigFix Server is not involved in the query at all, this evaluates solely on the client. You might use the WebUI Query app to query these computers and check for something like
names of groups of local computer of active directory
…to see whether they have any matches.
If this is some kind of cross-domain trust where computers from Domain A are added to groups in Domain B, the local computer inspector will probably not find the groups from those trusting domains. I think you’d need for the “DevTest” groups to be defined on each Domain, and for the computer accounts to be added to the DevTest group in their own domain.
That’s how it’s setup currently. I have 3 groups in each of my 3 domains, and they’re all named the same, so the query should pick them up, and each group has computer objects from the corresponding domain. There is a domain trust in place as well, and we have agents from all 3 domains checking in in the Bigfix console.
Ok, that should work…I’d use WebUI to check the query I posted and see whether those computers are retrieving any groups.
One thing to note is that by default the Active Directory inspectors cache results for…I think 6 hours? So if you’re adding or removing the computers from groups, it can take some time to reflect the results. Restarting the BESClient service can make them pick up the change faster for testing.
For some reason, it’s picking up 2 of the 3 domains, and I don’t see why the third isn’t showing any of its group’s members in the list.
Is it possible to specify the domain of the group? Something like the below? I wasn’t able to get this to work.
exists names whose (it = "DevTest") of groups of local computer of active directory whose (it = "domain.net")
I even thought of this method below with no success.
exists distinguished name whose (it = "CN=DevTest,OU=Groups,DC=domain,DC=net") of groups of local computer of active directory
The comparisons are case-sensitive, does one of the domains have the group defined in the wrong upper/lowercase?
No, sir. I had checked that as well.