Most organizations have Active Directory groups setup that identify users based by department or another logical grouping. However collections are typically based on computers in Altiris. Bridging this gap can be accomplished using the Active Directory Connector from Altiris.
This is especially useful when you have a new application to deploy to a large set of users that are at distributed locations. Typically the easiest way to get your target collection created has been to force the users to send their computer names or use the ASDK to gather this information based on usernames. However in most of these instances a group has already been created in Active Directory to target communications or shares for these users. Using this method allows you to leverage your existing infrastructure.
While typically the Active Directory connector is used to created collections based on OU structures in Active Directory, you can also create collections that dynamically change based upon group membership in AD.
The Active Directory Connector uses LDAP to sync your Active Directory with the Altiris Notification Server. During this process the computers are mated with known clients in the Notification server database using the computer name and domain. The Users to Machines collections are also creating based on the primary users of that computer based Altiris. While this isn't perfect, it should target all the computers where the specified users are the primary users. Understanding is the key making sure the collections get the computers you want.
Microsoft Active Directory Import
This article assumes you already have the Active Directory connector installed. First we need to find where we can create the Active Directory Import Rules. This is hidden in the configuration section. Using the Altiris 6.5 console, click View from the menu bar and then select Configuration. From there expand Configuration -> Server Settings -> Notification Server Infrastructure and then select "Microsoft Active Directory Import". From here we can create all the import rules that we need and it also displays any current rules you already have.
Creating your Active Directory Import Rule
Next we need to create a Resource Import Rule. Click the + Icon from displayed screen to create a blank rule. This now allows you to select the resource type, data source, column mappings and schedules.
We will begin by clicking on the "specified resource type" hyperlink. This displays the Resource Selection window that allows you to select your domain type, Resource type, source and domain. Choose your domain type, hopefully it is Windows 2000/2003 and not NT. The Resource Type is User and the Source will be a security or distribution group. Ensure that "Create security group collections" is checked and the "Match computers with primary users is checked. Click OK.
Next we need to select the group from our domain. We do this by clicking the (none) hyperlink. This brings up the "Select Security Groups" windows. From here we can search for our group in Active Directory based upon the domain that we just entered. You can use either the starts with or contains function. Both of these have a limit on the number of items it will return before listing a few and then giving you a "(Too many results. Refine your search.)" error message. Once you find your group or groups, select them and click Add. This moves them to the selected groups list box and then you can click OK.
The "Default column mappings" should be good for most environments, but may need to be adjusted depending on how much you have customized your AD Schema and your Altiris environment. It should be rare that you change these settings. However it still lets you change everything from pager numbers to their titles. The most important things are their UserId and Domain.
Next we can click on the "these resource associations" hyperlink. This displays the "Enable Resource Associations" window. We need to ensure that "Create one or more 'User' resources for the imported 'User' based on its 'directReports' attribute in Active Directory" and the "Create a 'User' resource for the imported 'User' based on its 'manager' attribute in Active Directory" options are checked. This pulls some basic info into your AD. While technically not needed for this, it does make troubleshooting easier. The imported user data is used to populate the contact information in the helpdesk and other Altiris products. Then it also creates the mapped collections, listed as Users to Machines.
The "specified schedule" is the next hyperlink we want to adjust. By clicking on this it opens the "Rule Scheduling" window. Here we can setup full imports and updates to that. The default Full Import schedule, which is a very intensive import, is for a monthly import. You might want to set this to longer depending on how much of a load this import puts on your Notification Server. The Update Schedule is a delta update and its default is Weekly, although you might want to bump this up depending on your needs. Once you have the schedule you like best selected Click OK.
Once you have everything setup click the enabled checkbox and click Apply. You will likely want this to run right-away and you can do this by selecting the rule and clicking the "Run the selected import rule now (Full Import)" icon.
So now you have your import rule setup and it is ready to run, but where are these great new collections? You can find this in the resources section. Using the Altiris 6.5 console, click View from the menu bar and then select Resources. From there expand Resource Management-> Collections -> Directory Collections -> yourdomain.com -> Security Groups - Users to Machine and then select the name of the group you specified in the earlier steps. You may notice that this collection cannot be modified.
Setting up filters for your Active Directory Import Rule Collection
Since this collection cannot be directory modified you will likely want to setup a filter to limit the machines in this collection. It may be that you do not want servers included, or test machines or any other subset. To filter create your collection wherever your favorite places is. I typically name this the same of the Directory collection and add Filtered (XP Computers or the name of the filter). In your collection Inclusions select the directory collection you created earlier. For your exclusions select the collections you already have created that you want to use as exclusions, such as Vista or servers.
You could also select another directory exclusion to remove a set of users from the master collection. For instance you might include the directory collection called HR that has all HR users, but then include another directory collection called "HR Compensation" that would exclude a specific set of HR users from your master collection. Now you have your dynamic group created.
Info on choosing Domain or Server to import from
When specifying a domain you have the option of specifying a specific Active Directory server or the domain. By entering your Active directory domain you allow for redundancy if a specific server in the domain is down. However when you specify the domain instead of a server, your probably will not connect to the same domain controller every time. When the Update Import Rule runs for the Delta update and the domain controller returned is different from the last time it ran it has to force a complete update because it cannot tell what resources have changed since last time. In short, specify domain for redundancy and server for speed.
Viewing the Database tables on imported data
It is likely that you will need to write some reports based on the imported Data. If so the tables that you will want to look at are:
- DirectoryItemImportDetails
- DirectoryItemMap
- Evt_Directory_Import_Status
- Evt_Directory_Resource_Import
- Inv_Import_Rule_Imported_Items
- Inv_Global_Active_Directory_Details
- Inv_OU_Membership
- Inv_Global_Network_Printer_Details
- Inv_Distribution_Groups
- Inv_Security_Groups
- Inv_Windows_User_Groups
Between that list you should be able to find all the info you need.
Wrap-up
Using this information you should be able to create collections based on groups in Active Directory. This will make it easier to target specific groups for new software rollouts and targeted application metering events. Once it is setup you will want to monitor the performance of your Notification Server while the AD imports run because depending on your selections and the size of your environment it can put a significant load on your Notification Server. Also it is a good practice to check your event logs to verify imports are successful and do a spot check just to make sure your groups look correct and that you have selected the correct settings.