12 Replies Latest reply on Oct 18, 2017 3:21 AM by Landon Winburn

    OU changes not reflected in deployment group membership

    Wilhelm.Vietinghoff1 Rookie

      HI

      I just changed deployment group membership rules from net bios name to active directory container hoping that changes in AD will be also reflected in a changed deployment group membership. But that is not the case it seems.

      The problem I have is that computer objects in our organisation will initially be created in CN=Computers and then somewhen automatically moved to their final destination. Because I don't have a member ship rule for CN=Computers all new objects end up in the Default group and are not moved when the object in the AD is moved.

       

      How can I solve that or what am I doing wrong?

       

      Thank you!

        • 1. Re: OU changes not reflected in deployment group membership
          randyb1 SupportEmployee

          Membership rules only apply to devices upon initial registration.  The first time a device checks in, the membership rules are evaluated and the device checks in to that deployment group.  After the device is registered, it will not move to another deployment group if the membership rules are changed, or if the OU the device is in changes.

           

          The exception to this is that with version 10.x, devices that are misgrouped are put into a sub-container called "Misgrouped".  You can regroup these devices, which will re-evaluate the membership rules and move the devices accordingly.

           

          Also remember that discovery must occur before doing anything involving membership rules.  If a new computer joins the domain, or if a computer moves to a different OU, discovery must be run again before the rules will apply correctly.

          • 2. Re: OU changes not reflected in deployment group membership
            Landon Winburn ITSMMVPGroup

            So just to clarify, membership rules are NOT evaluated when the machine polls for the first time but during the discovery phase which by default is once a week. When the machine polls for the first time if it has not been "discovered" by the weekly poll it goes into the default group.

             

            The best option for you here is to check the "Allow Self-registration" checkbox on your deployment groups and use command line switches for the CCA install to point it to a particular deployment group.

             

            Landon.

            • 3. Re: OU changes not reflected in deployment group membership
              randyb1 SupportEmployee

              Landon is correct; I worded that poorly.  What I meant is that moving a device to a different OU will have no effect on its deployment group membership if it has already registered.

              • 4. Re: OU changes not reflected in deployment group membership
                Minion01 Rookie

                I ran into this issue too, and now I am thinking of making a single policy for AM and using a PowerShell based script rule to determine the rules.  This will help simplify for configuration rules, but not the agent deployment settings.  The following PS script grabs the registry key where the OU information is stored and if it matches the name, it is a success (Exit 0):

                 

                $OU_FQDN = ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine" -Name "Distinguished-Name"

                Switch -Wildcard ($OU_FQDN)

                {

                    "*OU=MyOUName01*" { Exit 1 }

                    "*OU=MyOUName02*" { Exit 0 }

                    "*OU=MyOUName03*" { Exit 1 }

                    "*OU=MyOUName04*" { Exit 1 }

                    "*OU=MyOUName05*" { Exit 1 }

                    "*OU=MyOUName06*" { Exit 1 }

                    "*OU=MyOUName07*" { Exit 1 }

                    default { Exit 1 }

                }

                 

                You can copy the PowerShell code to new script rules and change the Exit 0's and Exit 1's for the appropriate OU it is supposed to go to. For any rule not in the list, the Default option will apply.

                • 5. Re: OU changes not reflected in deployment group membership
                  Wilhelm.Vietinghoff1 Rookie

                  Thanks for clarification!

                   

                  Just discussed this with the guy who manages all that "Windows unattended install stuff". I learned that the script is installing CCA right after joining the computer to the domain and before changing OU membership. During CCA install the Management Server is passed over via command line. This is why the computer object is registered immediately and not after 1+ hours during discovery.
                  We decided to change the script to first move the computer object and then install CCA.

                   

                  But my intention when changing the membership rules from netbios name to container was to change deployment group membership without touching management center. I understand this is not working out of the box but is there another way to get this done?

                  • 6. Re: OU changes not reflected in deployment group membership
                    Landon Winburn ITSMMVPGroup

                    Moving the computer object first and then installing won't help anything since the Management Server hasn't done a discovery poll since the computer account would have been created seconds before the CCA was installed.

                     

                    Since you are already joining the domain and moving the computer account in your SCCM sequence or similar then your logic is already there. Just use the command line switch to force it into the correct group and forget about membership rules and polling.

                     

                     

                    From the Installation and Configure guide:

                     

                     

                     

                    msiexec.exe /qn /i "<MSI file path>\CommunicationsAgent.msi" WEB_SITE="https://<Management Server

                     

                    Name>/" GROUP_NAME="<DeploymentGroup>"

                     

                    • 7. Re: OU changes not reflected in deployment group membership
                      Wilhelm.Vietinghoff1 Rookie

                      The management Center doesn't need a discovery poll if you install CCA with that: msiexec.exe /qn /i "<MSI file path>\CommunicationsAgent.msi" WEB_SITE="https://<Management Server"

                      That's what we were doing in the past with netbios based membership rules. The problem we had with container based rules we have solved by moving the computer account to the final ou first and then installing CCA by the exact same command line.

                       

                      Not solved: I want to move already registered computers to another deployment group without the need of doing that manually in Management Center. That's the ultimate goal.

                      • 8. Re: OU changes not reflected in deployment group membership
                        Landon Winburn ITSMMVPGroup

                        The management server DOES need a poll to pre-assign the computers to the group. Again as I mentioned earlier this happens by default every week. If a machine gets the CCA installed for the first time that the management server doesn't know about due to the server side discovery not have taken place then the machine falls to the default group. The only way to prevent this is to move the computer to the proper OU, wait a week, and then install the CCA. Obviously you can reduce the server side discovery poll but you'll never get it 100%, especially through a SCCM sequence.

                         

                        Also the command line you are using doesn't have the group_name switch which is the key to properly installing the CCA using SCCM. If you update your sequence with the group_name switch you can then do a one time move of misgrouped machines and not have to worry about these machines falling into the wrong group again.

                         

                        Landon.

                        • 9. Re: OU changes not reflected in deployment group membership
                          Wilhelm.Vietinghoff1 Rookie

                          I don't agree on that. Polling is set to Once a week. CCA is installed with WEB_SITE="http://<Management Server>". Client is registered immediately to the deployment group based on the rules. No group_name parameter needed. And no, the client name was never registered before.

                           

                          But that's not what I want to discuss. I'd like to move clients, which are already registered to the Management Center, to another deployment group by changing the organizational unit of the computer account in Active Directory.

                          • 10. Re: OU changes not reflected in deployment group membership
                            Landon Winburn ITSMMVPGroup

                            Without a first hand look at your environment I can't say how that is possible but even Randy agreed above that machines must be pre-assigned via the discovery process. This is how it has always worked and has not changed to date.

                             

                            Automatically moving machines based on membership rules is on the road map for a future release of the AMC. Until then you'd have to use SQL or other scripting techniques to move the machines manually.

                             

                            If you want to use SQL, here is the code:

                             

                            DECLARE @GroupName varchar(255)

                             

                            Set @GroupName = 'TEST' --Set the desired group name here

                             

                            UPDATE

                                   [Machines]   

                            SET

                                   ModifiedTime = GETUTCDATE(),

                                   GroupFK = (SELECT GroupPK FROM Groups WHERE Name = @GroupName)

                            FROM

                                   [Machines]

                            WHERE

                                   [Machines].NetBiosName = 'WIN7-1' --Put the name of the machine here

                             

                            I've also wrapped this up in a exe so you don't need SQLcmd to run it. From the endpoing run UpdateDeploymentGroup.exe SQLServer\Instance DatabaseName GroupName. This will move the machine to the target group.

                             

                            Next up is the powershell method. Script below...

                             

                            #modify to suit your environment

                            $amcServer = 'super-duper-AMC-01'

                            $targetGroupName = 'Some Amazing Deployment Group'

                             

                            $machineFQDN = "$env:COMPUTERNAME.$env:userdnsdomain"

                             

                            # connect to the web services - make sure you're running this as an account with appropriate AMC rights

                            $groupProxy = New-WebServiceProxy -Uri http://$amcServer/ManagementServer/DataAccess/Groups.asmx http://$amcServer/ManagementServer/DataAccess/Groups.asmx -UseDefaultCredential

                            $machinesProxy = New-WebServiceProxy -Uri http://$amcServer/ManagementServer/DataAccess/Machines.asmx http://$amcServer/ManagementServer/DataAccess/Machines.asmx -UseDefaultCredential

                             

                            # get the GUIDs of the target group and the machine to be moved

                            $targetGroupKey = ($groupProxy.GetGroups($false).Groups | where-object {$_.Name -eq $targetGroupName}).GroupKey

                            $machineKey = $machinesProxy.GetFromDNS($machineFQDN,$false)

                             

                            # do the move

                            $machinesProxy.Move($targetGroupKey, @($machineKey.Machines.MachineKey))

                            • 11. Re: OU changes not reflected in deployment group membership
                              Wilhelm.Vietinghoff1 Rookie

                              That's great! Thanks, Landon!

                               

                              Btw: In the 10.1 Product Guide on page 26 I found the reason why the registration works for us without polling:

                              "Deployment Agent is installed manually from the command line including a valid Management Server URL

                              and optionally, a specific Deployment Group with which to self-register.

                              NOTE: The Deployment Agent can only self-register if Allow self-registration is selected in Home >

                              Deployment Groups > [Deployment Group] > Settings > General tab > Deployment Agent

                              Permissions."
                              We have self-registration enabled on every deployment group.

                              • 12. Re: OU changes not reflected in deployment group membership
                                Landon Winburn ITSMMVPGroup

                                Just for clarification, self-registration works in conjunction with the website= command line switch. Without that the checkbox does nothing.

                                 

                                Landon.