5 Replies Latest reply on Feb 4, 2019 3:15 PM by Michael Wong

    Is there a way to exclude based on dynamic device groups?

      Share:|

      So I'm testing out an idea. The idea is to use dynamic groups to load my devices into groups. When someone wants to exclude a server from the dynamic group they can add their servers into an exclusion security group in AD. It will exclude that server from patching.

       

      - I've created a exclusion security group in AD
      - I used the security group to sync with a BMC CM device group. I named the group Exclusion List it uses directory dynamic population.

      - I created another dynamic group called test 002. I put all devices with dev-mspapp host name in that group

      - I want it to exclude devices from that group test 002 based on the exclusion list device group

       

      So when person add adds a server to the exclusion list it will remove it from the dynamic group.

       

      Thoughts on how to do that? I'm sure it's possible but what I'm doing isn't working.

        • 1. Re: Is there a way to exclude based on dynamic device groups?
          Steve Gibbs

          This could be a very expense SQL query to pull all devices NOT a member of an AD group. I would hate to support a query that could slow down your application but I can see where it is achievable. You will just need to make sure you synch your AD group often enough to capture new exclusions.

           

          See if this solves:

          You can add two queries to populate a device group. One that adds and on that takes away.  This should work...

           

          Steve

          • 2. Re: Is there a way to exclude based on dynamic device groups?
            Dominik Kress

            Hi Jeff,

             

            I don't think Steve Gibbs way will work as you may want to have it. The "Directory Server Entry DN" will only contain the information about the OU where the device is located.

             

            I would try to create a new active directory group (BCM_Exclude_PM) and import this group by dynamic population. At this point we have a dynamic group with all devices where PM should not install any patch.

             

            Next step is to create a query which will select all devices which are not a "Direct Group Member" of this specific group.

             

            This done you need to modify your dynamic group for patch installations by adding the query (which you have created before - not direct group member) as second query. Or just adjust you original query.

             

            Regards,

            Dominik

            • 3. Re: Is there a way to exclude based on dynamic device groups?

              This doesn't work either. Like anything else BCM.

              • 4. Re: Is there a way to exclude based on dynamic device groups?
                Dominik Kress

                Hi Jeff,

                 

                I tested this right now and it works.

                 

                1. Create a device group and connect it to your device group from the AD which contains all devices which should not be patched

                2. Create a new query which selects all devices which are "Direct Group Member" of this device group and activate "Reverse Query Result" (not Reverse Criterion Result).

                Bildschirmfoto 2015-12-04 um 22.07.53.png

                 

                With this query you'll find all devices which are not member of this specific device group.

                 

                You could add this query to any dynamic based device group as second query and connect it with the operator "AND".

                Bildschirmfoto 2015-12-04 um 22.09.49.png

                 

                Regards,

                Dominik

                • 5. Re: Is there a way to exclude based on dynamic device groups?
                  Michael Wong

                  FYI -

                   

                   

                  Did this today in 12.8 and it DID NOT work.

                   

                   

                  I have an exclusion group, and want to filter out any devices in an AD group called "PMO".  We are also wanting to filter down to parent relay.

                   

                  My query contains

                   

                  1. parent = relay1

                  2. device is direct group member of "PMO" (reversed)

                   

                  the PMO group has 77 clients on this parent one.  when step 2 is NOT reversed, it shows the 77 members of the PMO group.

                   

                  When 2 is reversed, it shows all 2716 clients connected to relay 1.

                   

                  If i remove 2 it shows all 2716 clients.

                   

                  Looking for the 2639 clients NOT in the PMO group and have relay1 as parent.

                   

                  The PMO BCM group is synced to an AD group and is updated every day in the overnight hours.

                   

                   

                  What's going on?