This could be a very expense SQL query to pull all devices NOT a member of an AD group. I would hate to support a query that could slow down your application but I can see where it is achievable. You will just need to make sure you synch your AD group often enough to capture new exclusions.
See if this solves:
You can add two queries to populate a device group. One that adds and on that takes away. This should work...
I don't think Steve Gibbs way will work as you may want to have it. The "Directory Server Entry DN" will only contain the information about the OU where the device is located.
I would try to create a new active directory group (BCM_Exclude_PM) and import this group by dynamic population. At this point we have a dynamic group with all devices where PM should not install any patch.
Next step is to create a query which will select all devices which are not a "Direct Group Member" of this specific group.
This done you need to modify your dynamic group for patch installations by adding the query (which you have created before - not direct group member) as second query. Or just adjust you original query.
This doesn't work either. Like anything else BCM.
I tested this right now and it works.
1. Create a device group and connect it to your device group from the AD which contains all devices which should not be patched
2. Create a new query which selects all devices which are "Direct Group Member" of this device group and activate "Reverse Query Result" (not Reverse Criterion Result).
With this query you'll find all devices which are not member of this specific device group.
You could add this query to any dynamic based device group as second query and connect it with the operator "AND".
Did this today in 12.8 and it DID NOT work.
I have an exclusion group, and want to filter out any devices in an AD group called "PMO". We are also wanting to filter down to parent relay.
My query contains
1. parent = relay1
2. device is direct group member of "PMO" (reversed)
the PMO group has 77 clients on this parent one. when step 2 is NOT reversed, it shows the 77 members of the PMO group.
When 2 is reversed, it shows all 2716 clients connected to relay 1.
If i remove 2 it shows all 2716 clients.
Looking for the 2639 clients NOT in the PMO group and have relay1 as parent.
The PMO BCM group is synced to an AD group and is updated every day in the overnight hours.
What's going on?