How to create DSM Query which uses AD directories with nested goups ?
search cancel

How to create DSM Query which uses AD directories with nested goups ?

book

Article ID: 236794

calendar_today

Updated On:

Products

CA Client Automation - IT Client Manager CA Client Automation CA Client Automation - Asset Management

Issue/Introduction

How to create DSM Query which uses AD directories with nested goups ?
 
In DSM Query it is possible to create some queries on Groups of Active Directory.
But the query returns only the computers inside the selected group and does not work recursively.
 
How to create DSM Query which returns all computers in AD groups recursively ?
 

Environment

Client Automation - Any Versions

Cause

Example :
 
In Active Directory there are 3 Domain local groups :
 
GROUP LEVEL 1
GROUP LEVEL 2
GROUP LEVEL 3
 
 
 
GROUP LEVEL1 contains the computer TESTJY1 and group GROUP LEVEL2
GROUP LEVEL2 contains the computer TESTJY2 and group GROUP LEVEL3
GROUP LEVEL3 contains the computer TESTJY3
 
 
In DSM Explorer a DSM query with Directory Query argument for Computer members of 'GROUP LEVEL 2' returns only computer TESTJY2 
 
 
TESTJY3 is not returned.
Recursive research is not done.

Resolution

Following workaround could be used.

Based on the above example :

 
1- In active Directory find an OU (Organizational Unit) which contains all computers which should be returned by the query. (recursive research is allowed)
Example :
TESTJY1 belongs to OU OU_TESTJY1
TESTJY2 belongs to OU OU_TESTJY2
TESTJY3 belongs to OU OU_TESTJY3
 

If the DSM query should return TESTJY2 and TESTJY3, "ALL COMPUTERS" OU should be used.

 

2- In DSM Explorer, Create a DSM Query with Directory Argurment like this :

* Select the OU determined in step 1
 
* Check the box "Search recursive"
 
* Doble click on memberof attribute and put the uri name for the AD Group:
 
Example for group "GROUP LEVEL 2"
CN=GROUP LEVEL 2,DC=testjy,DC=com

 

 

At this time the DSM query still returns only TESTJY2 (and not TESTJY3)

 

3- Save the query and export its definition into a cmsobj file

 

4- Edit file .cmsobj with notepad.
 
Find the section for AD Query.
 
In attribute filter, add :1.2.840.113556.1.4.1941: between memberOf and =)
 
[argument_1]
type=10
pseudo=(Computers of 'ALL COMPUTERS'), recursive, filter: (memberOf=CN=GROUP LEVEL 2,DC=testjy,DC=com)
sql=ldap://testjy.com/ou=all computers,dc=testjy,dc=com
valid=1
query_type=4
search_recursive=1
attribute_filter=(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP LEVEL 2,DC=testjy,DC=com)
target_field=
 
 
Remark : 1.2.840.113556.1.4.1941 is the OID for LDAP_MATCHING_RULE_IN_CHAIN
 
Save the modification in file.
 
 
5- In DSM Explorer, Import the definition in DSM Query
 
 
Select the updated cmsobj file
And save the new query
 
This new query returns TESTJY2 and TESTJY3
 
 
Remarks :
This solution has been included In CU7, so workaround above is not needed if CU7 is applied on Domain Manager and remote DSM Explorer.
 
 
Create DSM Query on AD Groups with recursive search:
DSM Queries which are created on groups of Active Directories are not performing recursive search on the nested groups due to the change in the filters being used for AD recursive search for groups. The new filters for recursive search on Active directories have been included in the templates being used for creating queries which indicates LDAP to perform recursive search and the new queries formed with these templates delivers search results on nested groups in the recursive method.
 
With CU7 patch, string  :1.2.840.113556.1.4.1941: is automatically added in the memberof string
 

Additional Information

With this argument :

[argument_1]
type=10
pseudo=(Computers of 'ALL COMPUTERS'), recursive, filter: (memberOf=CN=GROUP LEVEL 2,DC=testjy,DC=com)
sql=ldap://testjy.com/ou=all computers,dc=testjy,dc=com
valid=1
query_type=4
search_recursive=1
attribute_filter=(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP LEVEL 2,DC=testjy,DC=com)
target_field=
 
A recursive AD Query on Organizational unit (OU) "ALL COMPUTERS" is made.
 
All computers inside this OU and sub-OU are returned. (TESTJY1, TESTJY2, TESTJY3)
 
Then a filter on group "GROUP LEVEL 2" membership is made.
1.2.840.113556.1.4.1941 indicates to LDAP to apply the filter recursively.