ad sync for containers

Comments

18 comments

  • Adam Ruth

    You can have dynamic collections that filter on the Active Directory Path or Distinguished Name.  Then when computers are sync'd from AD they will show up in the proper collections.

    Also, for a future update, we're going to create automatic collections based on the AD structure of computers in AD.

    0
    Comment actions Permalink
  • Shane Corellian

    Hi Jonathan,

    A better way to state the AD Sync isn't that it only places computers into the All Computers collection. It performs two functions:

    1. It automatically adds (or deletes) computers in your AD Sync paths into PDQ Inventory.
    2. It updates the Active Directory data for each respective computer record in the PDQ Inventory DB.

    This means that you can create collections based on the Active Directory data for each computer (path, description, etc). Refer to the image below. You can see that I have created three sub collections called OU1, OU2, and OU3 under a top collection called AD. Each collection has one filter. Show computers whose paths contain either OU1, OU2 or OU3 (depending on the collection). This way I can always be confident that the collection membership will reflect the specif OU that each computer belongs to.

    AD_OU.png

    You can also look at the attached file called AD.bak. Rename the extension to .XML. You can import this into PDQ Inventory (CTRL+SHIFT+I) to see all three sub OUs. You will need to change the Path filter to match your environment.

    0
    Comment actions Permalink
  • itdept

    Ah, I see the light. So you can filter via AD path. Now in order to filter by AD path AD SYNC must be on correct?

    0
    Comment actions Permalink
  • Shane Corellian

    Short answer:You really should have AD Sync enabled

    Long Answer: AD Sync doesn't have to be enabled but we would recommend it. If you don't have it enabled then you would need to manually add / delete computers to mirror your AD structure. Standard inventory scans would pick up your target computers' AD info BUT it would only scan computers that had been imported into PDQ Inventory already. Computers that had been added (or deleted) to Active Directory would not get scanned until you added them to PDQ Inventory. That would be a lot of extra work so I would definitely set up the AD Sync. 

    0
    Comment actions Permalink
  • itdept

    Ok I turned on ad sync (with delete) but one thing I noticed was that it kept computers that were not in the specified OUs. For example, I have an OU with 48 computers. In pdq it shows 47 after applied filter. One computer that is no longer there wasn't deleted?

    Second issue is in filtering within OU tree. See attached. You can see I have TW parent OU. Underneath it I have COMPUTERS & IT > COMPUTERS. When I tried to get just the computers in TW > computers, my filter was path contains "tw". But that got the computers under IT as well. So I did a filter by DN instead & put contains "ou=computers, ou=tw". That worked.

    I can't get it to filter properly for IT > computers. If I put path contains "IT" I get almost all computers in AD. If I put a DN contains "ou=computers, ou=it" I get 12 computers but I have 15 in the ou?

    0
    Comment actions Permalink
  • Adam Ruth

    I'm not sure I understand your first issue.  Are you saying that there are computers in PDQ that should not be there or are the computers that should in PDQ but aren't?

    For the second issue, you can use a "starts with" filter on AD Path.  For example, to get only TW > Computers you would have the filter start with "TW/Computers/"  and for TW > IT > Computers you would use starts with "TW/IT/Computers/".

    0
    Comment actions Permalink
  • itdept

    First issue, I'm saying both. It's the 2nd issue as well as there being more computers than there should be. So I guess if I added something manually, it won't delete it even though I have AD sync with delete checked.

    I get an empty collection when I try "starts with".

    0
    Comment actions Permalink
  • Adam Ruth
    Okay, I see. The current version only deletes computers if they were brought in with a sync. We're going to add an option to override this behavior. For the filter problem, what us the AD path as shown on the computer window? You may have a prefix that needs to be included.
    0
    Comment actions Permalink
  • itdept

    ????? There is no prefix. It's what it looks like "tw/it/computers". Exact copy from computer windows:

    TW/IT/Computers/

    0
    Comment actions Permalink
  • Shane Corellian

    I'll just add to Adam's statement. The current AD Sync will delete computers from the PDQ Inventory DB ONLY if those computers were originally added to the DB via the AD Sync process. Computer objects that were added to Inventory via the Add Computers (CTRL+SHIFT+A) will not be deleted via the AD Sync.

    Adam mentioned that we are going to allow this behavior to happen in a future version. This is true. 

    However, at this time, if you want to have the AD Sync process determine which computers are in your Inventory DB then I would suggest deleting all the current computers (from your All Computers collection highlight all the computers and hit DELETE key) from Inventory and then allowing the AD Sync process to add them to the Database. This way if, in the future, one of those computers gets moved to a non-synced OU or gets deleted from Active Directory then that computer will, at the next sync interval, be deleted from PDQ Inventory.

    In my environment I deleted all the computers from my Inventory. I then set up AD Sync to Sync all computers under the TW OU (which is at the root of my AD domain). I also checked the Include Sub-tree check box to allow all computers UNDER TW to be synced with PDQ Inventory. However, I created an exclusion for any computer under the OU TW/IT. Since Exclusions take precedence over Inclusions all computers under the TW OU were added to my PDQ Inventory EXCEPT for systems under TW/IT. See the screenshots below.

    AD_Sync_-_Include_and_Exclude.png

     

    AD_Sync_-_Include_and_Exclude_part_II.png

     

    I verified that any computer object in TW/IT or lower was not added to my PDQ Inventory DB. Any computer in or under TW (except for those under TW/IT) was added to my DB.

    As far as the Path that you mentioned as not having the prefix. The Path as shown in PDQ Inventory will show the path past the root (domain) down to the computer name. Since TW is the first OU after the domain it will show up as the first entry in the Path. For example, the computer Archer is in the OU Computers under TW. TW is at the root of the TEST domain. The AD Path for Archer is TW/Computers/Archer. The path for the computer Ike is TW/Servers. If you want to reference the domain name in your PDQ Inventory Collection filters then you should use the Distinguished Name.

    0
    Comment actions Permalink
  • itdept

    So I delete all computers & let AD sync them, it will have to go through scanning them again? Or will their scan still be there? Some are not here (laptops) & some are turned off or stored away. So I will lose their inventory.

    Ok I figured out the issue with the filtering. I guess it would have helped if I actually looked at one of the computers that wasn't showing up instead of one that was. For some odd reason its scan didn't pick up the AD PATH so that section was empty, hence why the filtering wasn't picking it up! Now that I've scan it again it showed up with the filter. Can't get the other 2 missing computers because they are stored away but I have them in inventory at least.

    0
    Comment actions Permalink
  • Adam Ruth

    Until we implement the AD Sync full delete option there is an SQL command you can run in the database to mark the computers as though they were brought in by an AD Sync.  That way you won't have to delete and re-sync them.

    Download the Sqlite command-line tool:

    http://sqlite.org/sqlite-shell-win32-x86-3070800.zip

    Open the database with the sqlite3.exe tool.

    sqlite3 "%PROGRAMDATA%\admin arsenal\pdq inventory\database.db"

    Then execute the following SQL.

    update computers set ADSyncDate = current_timestamp;

    With that all of your computers will be available to be deleted by a sync.

    0
    Comment actions Permalink
  • itdept

    I don't understand how to run this. Where is the "programdata" directory? Did you mean "program files"?

    I don't see anything ending in a "db" extension in the "pdq inventory" folder under "program files". The closest thing I see is "database.dll" which is just a dll file.

    See attached screenshots.

    0
    Comment actions Permalink
  • Adam Ruth

    ProgramData is the default application data directory, it's location is different for different versions of Windows, and it's normally flagged as hidden.  There should be a %ProgramData% environment variable pointing to it.

    0
    Comment actions Permalink
  • itdept

    I can't find this folder in a win 2003 server. I even show system files from being hidden. I also did a search on the entire drive for anything ending in a *.db extension and nothing within an admin arsenal folder showed up. Isn't this folder a vista/2008 folder?

    0
    Comment actions Permalink
  • itdept

    Ok I finally found it. I figured you meant the "application data" directory but I was thrown off with "programdata". But I am still getting an error when trying to run the command. See screenshot.

    0
    Comment actions Permalink
  • Adam Ruth

    Sorry, I forgot that the environment variable doesn't exist in Server 2003 for some reason.

    It looks like you need to pass the database file name as a parameter to the sqlite3 executable, and then execute the SQL:

    C:\> sqlite3 "c:\documents and settings\all users\application data\admin arsenal\pdq inventory\database.db"
    SQLite version 3.7.8 2011-09-19 14:49:19
    Enter ".help" for instructions
    Enter SQL statements terminated with a ";"
    sqlite> update computers set ADSyncDate = current_timestamp;
    sqlite>

     

    0
    Comment actions Permalink
  • itdept

    Ok that did the trick. Thanks. It's been almost a month that I almost forgot what the whole issue was. I guess now my computers will think they were synced from AD instead of added manually. Then when resynced again, computers that aren't in AD will get removed.

    0
    Comment actions Permalink

Please sign in to leave a comment.