Targeting an Action Dynamically by Active Directory Path

I’m trying to setup an Action that will apply a Baseline to any computers in the Computers OU in an AD domain. I want to do this so our already deployed patches get automatically installed onto new systems that we build–so we don’t have to rely upon the admin building it to remember to patch that new system. I can setup the Action to Dynamically target based upon that path, but it only allows me to select paths/OUs that already currently have a client in them. So, if we don’t have any systems in the Computers OU, then it won’t even present that OU as an option to select. And there doesn’t seem to be a way to just enter a Relevance expression for the Target window of a new Action.

Is there some way to do this that I’m just not seeing or some alternative way to go about dynamically targeting only brand new clients?

James,

As long as there is a computer in the computers OU when you target the action you’re set going forward. It will still work if the client in that OU goes away and another one comes into the picture.

If you are having issues with the fact that the majority of the time there won’t be computers in this OU then you could also make a computer group and set the property for the computer group to point to the active directory path and target that:

Yeah, the issue is that we usually should NOT have a computer in that OU. And we have 10 domains, some of which don’t get new computers added to them very often. I suppose a group is an option and I could create an Action that would dynamically target that group. The challenge for us is that we deploy patches once a quarter and the deployment is spread out across most of that quarter across several environments, so I would likely need a separate group for each domain so we’re not pushing out patches to an environment before they’ve gone through testing on all the others. I was hoping there was an easier way to do it than that.

One option I tried a bit ago that seemed to work was to Dynamically target the entire AD domains, but then change the Applicability tab to something like this:

distinguished name of local computer of active directory as string as lowercase contains “cn=computers,dc=domain,dc=com”

Not sure that this is any better in the long run, though.