Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

ad sync for containers

I've seen the AD SYNC option in preferences but as far as I can tell it is only good for importing computers to the "all computers" node & from there you have to select where to put them. If I'm wrong please correct me!

I have 3 physical locations at my company. In AD I have 3 OUs with the computers in those sites. So I've set up 3 collections in PDQ. What I would really like is if I could sync my collections with AD. So collection1 would sync to ou1 in AD, etc. Is this possible?



Date Votes
  • You can have dynamic collections that filter on the Active Directory Path or Distinguished Name.  Then when computers are sync'd from AD they will show up in the proper collections.

    Also, for a future update, we're going to create automatic collections based on the AD structure of computers in AD.

  • Hi Jonathan,

    A better way to state the AD Sync isn't that it only places computers into the All Computers collection. It performs two functions:

    1. It automatically adds (or deletes) computers in your AD Sync paths into PDQ Inventory.
    2. It updates the Active Directory data for each respective computer record in the PDQ Inventory DB.

    This means that you can create collections based on the Active Directory data for each computer (path, description, etc). Refer to the image below. You can see that I have created three sub collections called OU1, OU2, and OU3 under a top collection called AD. Each collection has one filter. Show computers whose paths contain either OU1, OU2 or OU3 (depending on the collection). This way I can always be confident that the collection membership will reflect the specif OU that each computer belongs to.


    You can also look at the attached file called AD.bak. Rename the extension to .XML. You can import this into PDQ Inventory (CTRL+SHIFT+I) to see all three sub OUs. You will need to change the Path filter to match your environment.

  • Ah, I see the light. So you can filter via AD path. Now in order to filter by AD path AD SYNC must be on correct?

  • Short answer:You really should have AD Sync enabled

    Long Answer: AD Sync doesn't have to be enabled but we would recommend it. If you don't have it enabled then you would need to manually add / delete computers to mirror your AD structure. Standard inventory scans would pick up your target computers' AD info BUT it would only scan computers that had been imported into PDQ Inventory already. Computers that had been added (or deleted) to Active Directory would not get scanned until you added them to PDQ Inventory. That would be a lot of extra work so I would definitely set up the AD Sync. 

  • Ok I turned on ad sync (with delete) but one thing I noticed was that it kept computers that were not in the specified OUs. For example, I have an OU with 48 computers. In pdq it shows 47 after applied filter. One computer that is no longer there wasn't deleted?

    Second issue is in filtering within OU tree. See attached. You can see I have TW parent OU. Underneath it I have COMPUTERS & IT > COMPUTERS. When I tried to get just the computers in TW > computers, my filter was path contains "tw". But that got the computers under IT as well. So I did a filter by DN instead & put contains "ou=computers, ou=tw". That worked.

    I can't get it to filter properly for IT > computers. If I put path contains "IT" I get almost all computers in AD. If I put a DN contains "ou=computers, ou=it" I get 12 computers but I have 15 in the ou?

  • I'm not sure I understand your first issue.  Are you saying that there are computers in PDQ that should not be there or are the computers that should in PDQ but aren't?

    For the second issue, you can use a "starts with" filter on AD Path.  For example, to get only TW > Computers you would have the filter start with "TW/Computers/"  and for TW > IT > Computers you would use starts with "TW/IT/Computers/".

  • First issue, I'm saying both. It's the 2nd issue as well as there being more computers than there should be. So I guess if I added something manually, it won't delete it even though I have AD sync with delete checked.

    I get an empty collection when I try "starts with".

  • Okay, I see. The current version only deletes computers if they were brought in with a sync. We're going to add an option to override this behavior. For the filter problem, what us the AD path as shown on the computer window? You may have a prefix that needs to be included.
  • ????? There is no prefix. It's what it looks like "tw/it/computers". Exact copy from computer windows:


  • I'll just add to Adam's statement. The current AD Sync will delete computers from the PDQ Inventory DB ONLY if those computers were originally added to the DB via the AD Sync process. Computer objects that were added to Inventory via the Add Computers (CTRL+SHIFT+A) will not be deleted via the AD Sync.

    Adam mentioned that we are going to allow this behavior to happen in a future version. This is true. 

    However, at this time, if you want to have the AD Sync process determine which computers are in your Inventory DB then I would suggest deleting all the current computers (from your All Computers collection highlight all the computers and hit DELETE key) from Inventory and then allowing the AD Sync process to add them to the Database. This way if, in the future, one of those computers gets moved to a non-synced OU or gets deleted from Active Directory then that computer will, at the next sync interval, be deleted from PDQ Inventory.

    In my environment I deleted all the computers from my Inventory. I then set up AD Sync to Sync all computers under the TW OU (which is at the root of my AD domain). I also checked the Include Sub-tree check box to allow all computers UNDER TW to be synced with PDQ Inventory. However, I created an exclusion for any computer under the OU TW/IT. Since Exclusions take precedence over Inclusions all computers under the TW OU were added to my PDQ Inventory EXCEPT for systems under TW/IT. See the screenshots below.





    I verified that any computer object in TW/IT or lower was not added to my PDQ Inventory DB. Any computer in or under TW (except for those under TW/IT) was added to my DB.

    As far as the Path that you mentioned as not having the prefix. The Path as shown in PDQ Inventory will show the path past the root (domain) down to the computer name. Since TW is the first OU after the domain it will show up as the first entry in the Path. For example, the computer Archer is in the OU Computers under TW. TW is at the root of the TEST domain. The AD Path for Archer is TW/Computers/Archer. The path for the computer Ike is TW/Servers. If you want to reference the domain name in your PDQ Inventory Collection filters then you should use the Distinguished Name.

  • So I delete all computers & let AD sync them, it will have to go through scanning them again? Or will their scan still be there? Some are not here (laptops) & some are turned off or stored away. So I will lose their inventory.

    Ok I figured out the issue with the filtering. I guess it would have helped if I actually looked at one of the computers that wasn't showing up instead of one that was. For some odd reason its scan didn't pick up the AD PATH so that section was empty, hence why the filtering wasn't picking it up! Now that I've scan it again it showed up with the filter. Can't get the other 2 missing computers because they are stored away but I have them in inventory at least.

  • Until we implement the AD Sync full delete option there is an SQL command you can run in the database to mark the computers as though they were brought in by an AD Sync.  That way you won't have to delete and re-sync them.

    Download the Sqlite command-line tool:

    Open the database with the sqlite3.exe tool.

    sqlite3 "%PROGRAMDATA%\admin arsenal\pdq inventory\database.db"

    Then execute the following SQL.

    update computers set ADSyncDate = current_timestamp;

    With that all of your computers will be available to be deleted by a sync.

  • I don't understand how to run this. Where is the "programdata" directory? Did you mean "program files"?

    I don't see anything ending in a "db" extension in the "pdq inventory" folder under "program files". The closest thing I see is "database.dll" which is just a dll file.

    See attached screenshots.

  • ProgramData is the default application data directory, it's location is different for different versions of Windows, and it's normally flagged as hidden.  There should be a %ProgramData% environment variable pointing to it.

  • I can't find this folder in a win 2003 server. I even show system files from being hidden. I also did a search on the entire drive for anything ending in a *.db extension and nothing within an admin arsenal folder showed up. Isn't this folder a vista/2008 folder?

  • Ok I finally found it. I figured you meant the "application data" directory but I was thrown off with "programdata". But I am still getting an error when trying to run the command. See screenshot.

  • Sorry, I forgot that the environment variable doesn't exist in Server 2003 for some reason.

    It looks like you need to pass the database file name as a parameter to the sqlite3 executable, and then execute the SQL:

    C:\> sqlite3 "c:\documents and settings\all users\application data\admin arsenal\pdq inventory\database.db"
    SQLite version 3.7.8 2011-09-19 14:49:19
    Enter ".help" for instructions
    Enter SQL statements terminated with a ";"
    sqlite> update computers set ADSyncDate = current_timestamp;


  • Ok that did the trick. Thanks. It's been almost a month that I almost forgot what the whole issue was. I guess now my computers will think they were synced from AD instead of added manually. Then when resynced again, computers that aren't in AD will get removed.