Solved

Creating collection based on OU object location

Posted on 2011-03-02
7
3,951 Views
Last Modified: 2013-11-21
In SCCM 2007 R3, I have created a collection structure matching our Active Directory structure so I can deploy software, updates etc. by department.

To make it manageable, I need to have the collections set up with membership rules querying the discovered computer object's OU location to match it up with the correct collection.

I used the following guide to set it up the way I wanted:

http://www.deploymenttech.com/index.php?option=com_content&view=article&id=241:creating-ou-based-collections&catid=34:blog&Itemid=1

The only change I made is to the "Operator" field in Criterion Properties, I set it to "is equal to", although I also tested "lowercase is like" with no difference.

The computer objects are discovered without any issue as far as I can tell as I am able to manually add them to a test collection, and client push installation works automatically.

Problem is, the query is not working.. the discovered computers are not being pulled into the appropriate collection.

The only method of troubleshooting I could come up with was to go to the collection I had set up the query on and click Add Resources, search All Collections and go to Advanced, then select Attribute name: "Sustem OU Name" (which is the same attribute as the query I set up) then searched by any part of the OU path, and nothing comes up which leads me to believe the information isn't being pulled in when the object is disovered.

This leads me to wonder if there are any attributes that need to be added to the "Active Directory attribute" tab in Active Directory System Discovery Properties? I couldn't seem to find an answer on this anywhere.

I would really appreciate any tips which might lead me to a solution or at least a way to troubleshoot why this working.
0
Comment
Question by:McCoyIT
  • 4
  • 2
7 Comments
 
LVL 8

Expert Comment

by:MarkieS
ID: 35025008
Hi,

I use what sounds like exactly the same method.

Collections in SCCM are populated by queries to Active Directory groups and OU containers.

Mine works like a dream so we should be able to get this going for you..

Do you have regular polling intervals for the Collections.  If you run a manual collection update do they populate.

Check ADxxx.log log files for any AD discovery problems.
0
 

Author Comment

by:McCoyIT
ID: 35027699
I do indeed have regular polling intervals, the collection is configured to update every day, along with Active Directory System Discovery. I've tried Update Collection Memership and refreshing with no change, along with trying to look up discovered objects by OU attribute and manually adding the resources to the collection with no luck.

I'm not seeing any errors in the "adsysdis.log" file.

I did take a look at the SMS_AD_SYSTEM_DISCOVERY_AGENT component, and there was only one warning, that being:

SMS Active Directory System Discovery Agent reported errors for 5 objects. DDR's were generated for 0 objects that had errors while reading non-critical properties. DDR's were not generated for 5 objects that had errors while reading critical properties.

Possible cause: The SMS Service might not have access to some properties of this object. The container specified might not have the properties available.
Solution: Please verify the Active Directory schema for properties that are not replicated or locked. Refer to the discovery logs for more information.
0
 
LVL 8

Expert Comment

by:MarkieS
ID: 35027978
Sounds like to queries arent picking up the right results...

Here are my WQL queries :

Remember to replace the relevant bits:

Replace FQDN with contoso.com or what ever is relevant
Replace OUNAMELEVEL1 with what is relevant to your OU structure.
Replace DOMAINNAME with your own NT domain name
Replace SECURITYGROUPNAME with your own Security groups

COMPUTERS

Looking at the properties of a collection I base the Membership Rules Query on "System Resources"

This checks for Computer Accounts in a Security group

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "DOMAINNAME\\SECUIRITYGROUPNAME"
And this one checks for a Computer Account sitting in (or under) a particular OU.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName like "FQDN/OUNAMELEVEL1/OUNAMELEVEL2"


USERS
Looking at the properties of a collection I base the Membership Rules Query on "User Resources"

This one I use for users in an OU

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserOUName like "FQDN/OUNAMELEVEL1/OUNAMELEVEL2/OUNAMELEVEL3"

And this one is for users in a Security Group

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName = "DOMAINNAME\\SECURITYGROUPNAME"
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:McCoyIT
ID: 35029215
Still isn't working unfortunately, this is the query language:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System where SMS_R_System.SystemOUName = "domain.com/Corporate/Corporate Computers/IT"

(where "domain.com" is our actual domain of course). Could this have anything to do with the space in "Corporate Computers"?
0
 
LVL 10

Accepted Solution

by:
Kezzi earned 500 total points
ID: 35029229
Have you set up Active Directory System Group Discovery?  Its this discovery process that brings in the computer OU membership attribute.
0
 

Author Comment

by:McCoyIT
ID: 35029510
I think we're on the right track now, I was running discovery from a secondary site and I've just now realized you can only run "Active Directory System Group Discovery" from the primary site, so it is now enabled and appears t obe working according to the "adsysgrp.log" file.

Not quite there though, because the query still isn't working and I've tried several different operators on it.

If I click Add Resources in the collection, search All Collections and go to Advanced, then select Attribute name: "Sustem OU Name" and search by any part of the domain name or container, it's not pulling up any results.

Just to clarify, should I have both System Discovery and System Group Discovery enabled? Right now I've configured them to only discover from the specific contrainer (OU) I'm testing on, do either need to be set on the root of the domain?

If I go into the All Systems collection and look at the Properties for a newly discovered object, is there a specific property that should show the container the object was discovered in? If anybody knows the name of the property or if it should show up there that would help me troubleshoot

Thanks for all the help so far.. getting close I think
0
 

Author Comment

by:McCoyIT
ID: 35030645
So I am guessing that System Group Discovery has to happen AFTER System Discovery so that it can write to the discovered objects? In any case this is now working perfectly, thanks again for the help!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After having deployed hundreds of thousands of Terminal Services seats worldwide, I still see all the time people asking me that same old question: "If TS/RDS is that reliable why are you telling me I should reboot it that often? My DC/SQL/Exchange/…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question