ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to create DSM Query which uses AD directories with nested goups ?

book

Article ID: 236794

calendar_today

Updated On:

Products

CA Client Automation - IT Client Manager CA Client Automation CA Client Automation - Asset Management

Issue/Introduction

How to create DSM Query which uses AD directories with nested goups ?
 
In DSM Query it is possible to create some queries on Groups of Active Directory.
But the query returns only the computers inside the selected group and does not work recursively.
 
How to create DSM Query which returns all computers in AD groups recursively ?
 

Cause

Example :
 
In Active Directory there are 3 Domain local groups :
 
GROUP LEVEL 1
GROUP LEVEL 2
GROUP LEVEL 3
 
 
 
GROUP LEVEL1 contains the computer TESTJY1 and group GROUP LEVEL2
GROUP LEVEL2 contains the computer TESTJY2 and group GROUP LEVEL3
GROUP LEVEL3 contains the computer TESTJY3
 
 
In DSM Explorer a DSM query with Directory Query argument for Computer members of 'GROUP LEVEL 2' returns only computer TESTJY2 
 
 
TESTJY3 is not returned.
Recursive research is not done.

Environment

Client Automation - Any Versions

Resolution

Following workaround could be used.

Based on the above example :

 
1- In active Directory find an OU (Organizational Unit) which contains all computers which should be returned by the query. (recursive research is allowed)
Example :
TESTJY1 belongs to OU OU_TESTJY1
TESTJY2 belongs to OU OU_TESTJY2
TESTJY3 belongs to OU OU_TESTJY3
 

If the DSM query should return TESTJY2 and TESTJY3, "ALL COMPUTERS" OU should be used.

 

2- In DSM Explorer, Create a DSM Query with Directory Argurment like this :

* Select the OU determined in step 1
 
* Check the box "Search recursive"
 
* Doble click on memberof attribute and put the uri name for the AD Group:
 
Example for group "GROUP LEVEL 2"
CN=GROUP LEVEL 2,DC=testjy,DC=com

 

 

At this time the DSM query still returns only TESTJY2 (and not TESTJY3)

 

3- Save the query and export its definition into a cmsobj file

 

4- Edit file .cmsobj with notepad.
 
Find the section for AD Query.
 
In attribute filter, add :1.2.840.113556.1.4.1941: between memberOf and =)
 
[argument_1]
type=10
pseudo=(Computers of 'ALL COMPUTERS'), recursive, filter: (memberOf=CN=GROUP LEVEL 2,DC=testjy,DC=com)
sql=ldap://testjy.com/ou=all computers,dc=testjy,dc=com
valid=1
query_type=4
search_recursive=1
attribute_filter=(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP LEVEL 2,DC=testjy,DC=com)
target_field=
 
 
Remark : 1.2.840.113556.1.4.1941 is the OID for LDAP_MATCHING_RULE_IN_CHAIN
 
Save the modification in file.
 
 
5- In DSM Explorer, Import the definition in DSM Query
 
 
Select the updated cmsobj file
And save the new query
 
This new query returns TESTJY2 and TESTJY3

Additional Information

With this argument :

[argument_1]
type=10
pseudo=(Computers of 'ALL COMPUTERS'), recursive, filter: (memberOf=CN=GROUP LEVEL 2,DC=testjy,DC=com)
sql=ldap://testjy.com/ou=all computers,dc=testjy,dc=com
valid=1
query_type=4
search_recursive=1
attribute_filter=(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP LEVEL 2,DC=testjy,DC=com)
target_field=
 
A recursive AD Query on Organizational unit (OU) "ALL COMPUTERS" is made.
 
All computers inside this OU and sub-OU are returned. (TESTJY1, TESTJY2, TESTJY3)
 
Then a filter on group "GROUP LEVEL 2" membership is made.
1.2.840.113556.1.4.1941 indicates to LDAP to apply the filter recursively.

Attachments