Topic
2 replies Latest Post - ‏2013-01-15T13:19:40Z by SystemAdmin
SystemAdmin
SystemAdmin
104 Posts
ACCEPTED ANSWER

Pinned topic Automatic Computer Group based on Active Directory Group.

‏2012-12-27T06:31:57Z |
Hi all,
I am new to BigFix, and I cannot figure out how to create New Automatic Computer Group based on Active Directory Group.
I went to tools/create new automatic group. I selected "Active Directory Path" from Properties then "Contains" then I typed "CN=ADGroupName,OU=SubOUName,OU=ParentOUName,DC=SubdomainName,DC=ParentDomainName,DC=org"
After 24 hours, the newly created group still has not gotten populated from AD yet.

Any Help on this will be very Apprectiated.
Thank you
Updated on 2013-01-15T13:19:40Z at 2013-01-15T13:19:40Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    104 Posts
    ACCEPTED ANSWER

    Re: Automatic Computer Group based on Active Directory Group.

    ‏2013-01-15T05:00:51Z  in response to SystemAdmin
    The AD Path refers to the AD Path for the computer object.

    I don't recall how to query AD Groups. AD information is cached by the client to minimize the delays involved in the client querying it.
  • SystemAdmin
    SystemAdmin
    104 Posts
    ACCEPTED ANSWER

    Re: Automatic Computer Group based on Active Directory Group.

    ‏2013-01-15T13:19:40Z  in response to SystemAdmin
    In looking back at my notes you might be able to use something like this ...

    
    ((windows of it) of operating system) AND (((exists value whose(it as lowercase = 
    "AD-Test-Group"  as lowercase ) of components whose(type of it=
    "CN") of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory
    


    You can read more about the Directory Services Objects. The information is cached by the Agent. The cache will expire after 12 hours by default. I don't know if this can be overridden by a setting or not.

    If you want to play around with these Relevance clauses in the Fixlet Debugger, it has to be configured under the menu Debug --> Evaluate Using --> Client Evaluator. This will cause the Debugger to take longer to evaluate but it has access to more information than the Debugger can normally access (client information typically). Be patient. Be sure to switch it back when you are done working with the Active Directory objects.

    The above clause was able to detect that my Domain Member computer had been added to that group. Because of the caching issue, it took a while to figure it out (overnight in my case), but it DOES work.