Freigeben über

Updated AD Group Membership Custom MP

  • Artikel

 

Several years ago, a colleague of mine Steve Rachui blogged about a custom management pack template supporting the scenario of allow discovery of AD Security Group membership for agent-managed Windows systems.  Recently I was working with this management pack for a customer and identified an opportunity to make minor optimizations to the logic of the discovery script.  Instead of relying on Operations Manager to discover the distinguished name for the computer object in Active Directory and pass this as an argument to the script, I determined it was best to handle this in the script.  Secondly in an enterprise deployment of Active Directory with thousands of objects defined, the discovery script may not complete successfully because it is missing the command object property – Page Size with a value of 1,000.  This is because by default when you query Active Directory using ADO, it only returns the first 1,000 objects, regardless of how many are defined.  So this object property is included and ensures the discovery is able to search all group objects and return the expected results – AD groups the agent-managed system is a member of.

 

The updated MP is included here for you to utilize.  Please refer to Steve’s blog posting on how to configure and use this MP.

WindowsServer.ADGroupMembership.xml

Comments

  • Anonymous
    September 25, 2013
    First you need to add the Groups in SCOM to the AD Security Group membership  management pack. (NOT a Separate Management pack) Also you changes the Class from the original Steve Rachui post and when you do the Cut and past You MUST change the class that Steve used  or the MP will not update the new element should look like this The new Expression section should look like this    <Expression>      <Contains>        <MonitoringClass>$MPElement[Name='WindowsServer.ADGroupMembers']$</MonitoringClass>        <Expression>          <RegExExpression>            <ValueExpression>              <Property>$MPElement Name='WindowsServer.ADGroupMembers']/ADGroupMembership$</Property>            </ValueExpression>            <Operator>ContainsSubstring</Operator>            <Pattern>This should have the AD group name here</Pattern>          </RegExExpression>        </Expression>      </Contains>    </Expression>

  • Anonymous
    December 22, 2014
    Thanks so much, this will be useful in our environment!

    BTW, you have a typo in your comment: There's a [ short in
    $MPElement[Name='WindowsServer.ADGroupMembers']/ADGroupMembership$