Nested Computer Group Condition failing to Evaluate Correctly

Version 1

    Verified Product Versions

    Environment Manager 8.5


    In Environment Manager 8.5 it is now possible to configure a Computer Group Condition to additionally check for membership in any Nested Computer Groups.

    However after configuration you find the condition evaluating incorrectly.


    In order for this functionality to work correctly you need to have the domain functional level in your environment at 2008 or above.

    If this is not the case then the condition will not evaluate as expected.

    In addition, the Nested Group check is only updated either once daily or upon System Restart (under the Network Ready Trigger).  If an Endpoint has been recently added to the Nested Group, a reboot may be required before the condition evaluates as expected.

    To check nested group functionality processing you can use either of the following two scenarios.

    Scenario 1

    Enable EM Debugging and search for [ComputerGroupMembershipChecker::GetComputerGroupList] within an EMSYSTEM log. As mentioned above this is triggered once daily or at System Restart.

    L2  T1848 41203 [ComputerGroupMembershipChecker::GetComputerGroupList] Groups not returned by nested group search - domain functional level may be less than Server 2008
    L2  T1848 41203 [ComputerGroupMembershipChecker::GetComputerGroupList] Nested group functionality will not work

    Above snippet shows the issue related to Domain Functional level, at this time there is no workaround to this (apart from potentially a custom script condition).

    Scenario 2

    It is also possible to check the current Computer Group List file within "C:\ProgramData\AppSense\Environment Manager\ComputerGroups.txt" for the existence of the nested group.

    Be aware that by default only System has access to this file and so you would need to temporarily alter NTFS permissions to verify.

    NOTE: From within an EmUser log, during Condition evaluation the nested groups are only checked for existence within the ComputerGroups file (path listed above)and so if the group is not present, the condition will return False.