I am new to BigFix, and I cannot figure out how to create New Automatic Computer Group based on Active Directory Group.
I went to tools/create new automatic group. I selected "Active Directory Path" from Properties then "Contains" then I typed "CN=ADGroupName,OU=SubOUName,OU=ParentOUName,DC=SubdomainName,DC=ParentDomainName,DC=org"
After 24 hours, the newly created group still has not gotten populated from AD yet.
Any Help on this will be very Apprectiated.
This topic has been locked.
2 replies Latest Post - 2013-01-15T13:19:40Z by SystemAdmin
Pinned topic Automatic Computer Group based on Active Directory Group.
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-01-15T13:19:40Z at 2013-01-15T13:19:40Z by SystemAdmin
Re: Automatic Computer Group based on Active Directory Group.2013-01-15T05:00:51Z in response to SystemAdminThe AD Path refers to the AD Path for the computer object.
I don't recall how to query AD Groups. AD information is cached by the client to minimize the delays involved in the client querying it.
Re: Automatic Computer Group based on Active Directory Group.2013-01-15T13:19:40Z in response to SystemAdminIn looking back at my notes you might be able to use something like this ...
((windows of it) of operating system) AND (((exists value whose(it as lowercase = "AD-Test-Group" as lowercase ) of components whose(type of it= "CN") of distinguished names ((distinguished names of groups of it; distinguished names of it) of local computer of it))) of active directory
You can read more about the Directory Services Objects. The information is cached by the Agent. The cache will expire after 12 hours by default. I don't know if this can be overridden by a setting or not.
If you want to play around with these Relevance clauses in the Fixlet Debugger, it has to be configured under the menu Debug --> Evaluate Using --> Client Evaluator. This will cause the Debugger to take longer to evaluate but it has access to more information than the Debugger can normally access (client information typically). Be patient. Be sure to switch it back when you are done working with the Active Directory objects.
The above clause was able to detect that my Domain Member computer had been added to that group. Because of the caching issue, it took a while to figure it out (overnight in my case), but it DOES work.