Using the "Offer" option across multiple domains

(imported topic written by brian.armstrong91)

I am playing around with the “Offer” option and am looking for advice. I am looking for a way to restrict who receives offers via a group in active directory. People that are added to this group should be the only ones to see the Offer. The problem is that we have multiple domains without a trust between each domain. Thus when I pick the Group that that I want to give the Offer I can only see the domain for which my PC is attached to.

I have tested creating an active directory group in two different domains and gave them exactly the same name hoping that BigFix would just look for the name of the group regardless of what domain the PC was on. This did not seem to work however, so I suspect that BigFix is specifically looking for the Group in the domain from which I picked.

The work around I have come up with that seems to work is to create a local group on the PC and then add the Active Directory group to the local group. Then when I pick the users in the BigFix console I specify the name of the local group. This would mean pushing down a local group to each pc and then adding the active directory group to that group which I could do but am trying to avoid. I would like to be able to do this without making any changes to the local computers.

Does anybody have a better solution or any advice?

(imported comment written by BenKus)

Hmm… I will need to look into this to try to figure it out… As a short term solution, can you run the console from a computer from the other domain?


(imported comment written by brian.armstrong91)

Doing it on each domain is not practical since we have about 25 different domains. We are looking to pilot this in one domain but if we get it to work we will most likely be using in all locations. So short answer is yes I could do that in the short term but it would be impracticable for long term.

Thanks for any help you can provide.

(imported comment written by BenKus)

Hi Brian,

We use the code similar to the code from here:

Can you try downloading their little demo project and see if you can browse to the domain you want?


(imported comment written by brian.armstrong91)


I tried the demo but I can only see the one domain which I am a member of. I don’t have a login or permissions to view the other domains.

Here is a rundown of my understanding of the situation, if it does not work this way please correct me.

I only have access to Domain A so when I pick the usergroup from Active Directory I have to pick the one from Domain A because that is the only one I have rights to. Thus the user group would be something like “Domain A\BigFix Offer”. Hence when I send this to a pc that is on Domain B, BigFix is still looking for the group “Domain A\BigFix Offer” and never sees it as a match.

Would it be possible to put an option in BigFix to match an active directory user group regardless of the domain? Thus I could manually specify the name of a User Group by typing it in and if that group exists on whatever domain the target pc is part of then it will designate it as a match? This would not be that different from the local group option but instead of checking the local pc for the group it checks active directory for the group.


(imported comment written by BenKus)

Hey Brian,

Yes. I can’t find a way to make it work like this right now, but I think it is a good request so hopefully we can change it soon… This is tracked as Bug 25570.