ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Computers getting policies they were not defined to get

book

Article ID: 173014

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Policies have been defined to go to a set of computers with an exclude defined ended up going to computers in the exclude filter.

Cause

There is a very unlikely scenario where during a filter update an excluded computer could fall briefly into a target allowing things to run on computers that should have been excluded.

For example:

  • A Maintenance Window policy has a target with the following definition
    • Include all Windows Workstations
    • Exclude a specific location like US or South America

When the Delta Resource Membership Update runs it clears the membership of the filter first then rebuilds it.  If this takes 1 second and a computer that was in the exclude example above checked in, in the middle of that 1 second it could possibly get the policy if the membership cache was out of date and it had to evaluate its applicability again.

NOTE: An updated version of this stored procedure was added to our ITMS 8.5 release.

 

Environment

8.1

Resolution

To resolve this backup the existing stored procedure spResourceTargetDeltaUpdate and execute the attached file against the Symantec_CMDB database to create an updated version that does not clear the membership as the initial step.

 

Attachments

spResourceTargetDeltaUpdate_New.sql get_app