Active Directory Security Group Discovery
Hi guys, I am having a bit of an issue with AD security group discovery at the moment. I am testing our ability to deploy applications based on security group membership (Computer objects). I have enabled 'Active Directory Security Group Discovery" and also
Active Directory System Group Discovery" and run them both as soon as possible. In the adsysgrp.log file it appears as though discovery is taking place and discovering the newly created security group named "APP_SCCM_Microsoft_Office_2010_Professional" however
when updating the "All Active Directory Security Groups" collection (the standard collection that ships with SCCM) it is not appearing. Very strange. Any ideas here?
The site server has access to the system container and the site is configured to publish to Active Directory
April 12th, 2011 4:20pm
The All Actve Directory Security Groups collection pulls data discovered from the AD Security Group Discovery. Data discovered with the AD System Group Discovery does not populate this collection, it is put directly into the resource objects.
For deploying software to systems, you need to enable AD system discovery and AD System Group Discovery. AD security group discovery is not necessary (you actually could use it but it would require you to reboot your systems everytime you added them to or
removed them from a collection).
You can view the data collected by System Group Discovery by looking at the properties of any resource and scrolling down to System Group Names. You can query this field using the "System Resource" class aka SMS_R_System and the SystemGroupName attribute.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 5:58pm
Hi Jason, I can confirm that both AD system discovery and AD System Group discovery are enabled, I also ran a full discovery as soon as possible. So not sure why groups are not appearing in this collection, even after updating collection membership numerous
times. So I suppose what I am saying here is that all of my Active directory discovery methods are enabled an have run but the All Active Directory Security Groups collection is not updating with members when I would be expecting it to. Im probably missing
something obvious here...
April 12th, 2011 6:29pm
When you say "groups are not appearing in the collection" - don't expect to see the group names. The group information will be added to the existing assigned computer objects. Make sure you check the adsysgrp.log file for further troublehooting.Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 9:01pm
Have you reviewed the logs? Adsgdis.log is for AD Security group discovery.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys
April 12th, 2011 9:10pm
Hi Guys,
Kent, I would have thought that I would see security group names in the collection "All Active Directory Security Groups" as in my live environment I can see these as group names for example
Name: CANEAST\TelnetClients
Resource Class: User Group Resource
Jason, I have reviewed this and mentions something along the lines of
INFO: discovered object with ADsPath = ....App_SCCM_Microsoft_Office_2010_Professional
So it appears that it is discovering this object but not appearing in the security groups collection. Shall I provide a snippet of the log file for review?
Thanks again
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2011 12:05am
Hello - Did you try updating and refreshing the collection?
Also, you can go through AD system group discovery flowchart this could help you in further troubleshooting...
http://technet.microsoft.com/en-us/library/bb892802.aspx
Anoop C Nair - This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not
actually answer your question. This can be beneficial to other community members reading the thread.
April 13th, 2011 1:33am
Hi,
Is there large number of
collections? If so, the collection update refresh may be delay.
Please check if the following hotfix helps:
A long delay occurs when you click "Refresh" to view the latest membership
in a dynamic collection on a System Center Configuration Manager 2007 SP2 site server
You may change below registry key and set the value 50, so that it will not update status very frequently:
HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components\SMS_Collection_Evaluator\Collection Resync Frequency (0)
Regards,
Sabrina
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 14th, 2011 3:37am
Hi guys, I have updated the collection many times with no result. Read the flowchart and cant associate anything here with what I am seeing. At the moment this is working in my live environment and updating with groups correctly so I have gone on to test
here.
Only thing is now in my live environment my collection is not populating with expected results. I have created another thread for this. So at the moment this issue remains unsolved
April 14th, 2011 5:51pm