1 Reply Latest reply on Feb 1, 2018 2:07 AM by phoffmann

    2017.3 client not updating AD location

    CentreShane Rookie

      We have a new Endpoint manager implementation and I'm trying to understand how/how often the AD location is updated for a client.  We want to use AD OUs as targets for tasks.  When I move a machine from one OU to another it doesn't seem to update after a patch or inventory scan.  I'm assuming that agent is pulling this information from the client, because there doesn't seem to be a task to update EM with AD information directly.  Is the problem the delay between times that the client logs into AD and refreshes its locations information?

        • 1. Re: 2017.3 client not updating AD location
          phoffmann SupportEmployee

          So a few things:

          • AD information is gathered via LDAPWHOAMI.EXE -- you can just run that binary (do it via a CMD box) and see what output it gathers.
            It collects group memberships for both the DEVICE and the USER CONTEXT that the scan launches in. So "logoff + logon" may be needed for some logoff-shy users.

            Hint - commonly useful inventory scanner options to use are:
            • "/F" -- force a software scan.
            • "/v" -- "verbose" / GUI enabled scan. Shows you a progress bar and will show if there's any errors during the scan. Normally those go silent otherwise.
            • "/sync" -- force the sending of a FULL, non-delta inventory scan file (re-sync up with the Core).
          • LDAPWHOAMI is technically part of the software scan, and by default we only collect for software scan data 1x per day, unless you specify the "/F" flag (force the software scan). The rest depends on your inventory scanning schedule.

            I.e.  - if you only set it up to run 1x per week, then you're not going to see an update very fast, for instance. However, you can just schedule a task from the Core to kick off an full inventory scan.
          • Another thing to check is to make sure that you don't have your inventory scan error out. Check the Core's APPLICATION NT-event log for errors from the LANDesk Inventory server service Specifically error's 4100 (Error scan because of "something failed with the DB" such as "a column is too short"), or event ID's 2391 ("Out of sync" notification - client will be marked for sending a non-delta scan next time to get back into synch).

            On a related note, check the - (...)\ManagementSuite\LDScan\ - directory on the Core to make sure you've not got files backing up there / files are being processed. Maybe your inventory service has hung / stopped / needs a re-start / whatever, and things aren't being processed as a result?
          • Do note that user context is important. If you schedule the scan to run only via (say) our scheduler, but not at logon, then the scan will always run as LOCAL SYSTEM user context rather than "Bob from accounting" or whatnot. This means you'll only get AD information for the device, but not necessarily the logged on user!

          That should cover most bases for you to start looking at / making sense of what is / isn't happening .

           

          The basic "get AD information" is really as easy as "run LDAPWHOAMI" ... the rest tends to be reasons of why your data isn't coming in.