Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Remove Computer from Assign Policies

Created: 19 Feb 2013 | 18 comments

When we re-image a computer, I need a way to make sure any past policies that are assigned to the computer are removed so it starts as a new machine. I know you could just delete the NS record, however, we want to keep ASSET history with the computer. Is there a way around this?

Comments 18 CommentsJump to latest comment

SaschaH's picture

Depends on how the computer is assigned to the policies. Is it added directly as a target or is it added to a filter which is the target in the policy.

At one customer we have the exclusion ASDK task running in a recursive function,checking all the filters in a folder and subfolders and removing the computer. Just make that part of the re-imaging job.

Bechtle – your strong IT partner. Today and tomorrow

If that seems to help, please "Mark as Solution"

Canuck's picture

SaschaH,

We have machines that gets manually placed into filters. Obviously working on a better process and workflow for this, however I was wondering if you had any further info towards this ASDK task. We re-image a lot in our environment unfortunately and I have been trying to figure out a way to remove a machine from all software deployment filters beforehand.

Thanks!

Thomas Baird's picture

All you have to do is remove the local policy file.  Poof, all policies are instantly "unassigned" to the computer.  We actually sort of recommend doing this prior to deployment to ensure that no policies fire as soon as the computer starts, which has happened in the past (e.g. you have a package for MS office designed to start on Tuesday, capture the image Monday, deploy Wednesday, and Office starts as soon as it turns on).  The policy files are under the agent in - client policies.  Pretty easy to find.  Remove the XML files.  When the agent starts, a new one will be generated, but the policies assigned to the old PC will NOT be present.

Thomas Baird
Enthusiast for making things better!

 

Thomas Baird's picture

I misread the post.  My apologies.  That will only partly solve he problem, and it's designed for new computers.  It will sort of do so though.

The best thing to do is to ensure that a delta runs ASAP after the system is imaged, and it'll be placed only into new filters you have created.  Anything "manually" assigned will remain of course.  But as soon as a new system is deployed, and a Delta resource membership is run, all the old policies are "gone" and new ones appear.

The best thing to do is avoid manuall assignment to things and use filters.

You may however need to supply an example of what you've run into in the past.  The simple truth is that most likely, even deleting a computer isn't going to resolve the issue, again, unless you've done manual assignment to filters in the past.  Everything is dynamic, right?  So if you assign a computer named X to HR, then HR policies apply, wether newly created, or in existence for 10 years.  Deleting and recreating will drop it right back where it belongs.

So give us a bit of a better example of what you've run into in the past, and we'll discuss if this is possible or not, fair enough?  You "should" be able to keep your asset history.

Thomas Baird
Enthusiast for making things better!

 

andykn101's picture

I've just been asked the same question. How can we remove a PC from all statically assigned Filters (e.g. "Visio 2010") without deleteing the Asset info so that, when the PC is rebuilt and reassigned it doesn't get, say Visio 2010 again.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

SaschaH's picture

In an Environment we run the following script as part of the installation job. Its a Taskserver script and is based on the ASDK collection management sample.

You can see that its quite raw and pretty brute force going into every filter and trying to remove the exclusion of the computer given. But I think it would be slower to check if the computer is already included in the filter beforehand.

Obviously this works best if you have all your software filters under a specific folder without including other purpose filters.

Option Explicit

' FolderGUID of where to start searching
Const FILTERFOLDER = "{6d804a8d-9470-4132-a778-80cb5512ed30}"

itemComputer = "%COMPUTERGUID%"

Dim oCollectionManagement, oItemManagement
Dim itemComputer, allItemNames, NSItemDetails, folders()

Set oCollectionManagement = CreateObject("Altiris.ASDK.NS.CollectionManagement")
Set oItemManagement = CreateObject("Altiris.ASDK.NS.ItemManagement")

oCollectionManagement.TargetServer = "%NSSERVER%"
oCollectionManagement.UserName = "%SYMUSER%"
oCollectionManagement.Password = "%SYMPWD%"
oCollectionManagement.DomainName = "%DOMAINNAME%"
oCollectionManagement.Authenticate()

oItemManagement.TargetServer = "%NSSERVER%"
oItemManagement.UserName = "%SYMUSER%"
oItemManagement.Password = "%SYMPWD%"
oItemManagement.DomainName = "%DOMAINNAME%"
oItemManagement.Authenticate()

' recursiv function going through all Folders and Filters below FILTERFOLDER
Function recurseCheck(GUID)
  for each NSItemDetails in oItemManagement.GetItemsInFolder(GUID)
    If NSItemDetails.TypeName = "PresentationFolder" Then
      recurseCheck(NSItemDetails.Guid)
    Else
      wscript.echo NSItemDetails.Name
      Call oCollectionManagement.RemoveInclusions(NSItemDetails.Guid, itemComputer)
    End If
  next
End Function

recurseCheck(FILTERFOLDER)

wscript.sleep 1000
Call oCollectionManagement.UpdateCollections(null)

Bechtle – your strong IT partner. Today and tomorrow

If that seems to help, please "Mark as Solution"

andykn101's picture

Thanks, I'm off for a few days but will give that a try next week.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

Canuck's picture

It would be nice to not have to involve the ASDK when this would seem like a simple job or task. Right now we have resorted to going into the Resource Manager, Policy Summary and selcting all we want to remove and deleting before we re-image.

I will give the ASDK script a try in a test environement and see how this plays out, thanks SaschaH.

Thomas Baird's picture

That's a pretty decent feature request.  I'm going to submit it to Product Management.

Make sure I have this right:  When a computer is reimaged, it would be nice to have a task that will remove said computer from any filter it's currently a part of.  Right?  Just filters, but keep asset information.

Question:  It seems to me that to strip it from ALL filters would be ideal.  All, as in ALL - dynamic AND static.  Then when it is imaged, everything is "fogotten" except what it reports up for basic inventory.  This might include things like Patching filters for instance, and installed agent filters, so that the data is 100% fresh.

Did I miss anything?

Thanks guys!

Thomas Baird
Enthusiast for making things better!

 

andykn101's picture

For this to work I think you'd need to strip the Inventory information too, otherwise, if you've got a 30 minute filter update interval, many of the dynamic filters could get repopulated with old inventory data while the PC is being reimaged.

What I have seen done with servers on another asset system is the separation of the hardware and OS. So one Configuration Item is an HP DL380, serial number abc123 and another CI is Windows Server SQLdb1, linked in the CMDB to the hardware CI.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

noodleNT's picture

You would need targets too. For instance software portal requests create targets when software is approved.

Thomas Baird's picture

Good point.  I'll add that in.  Glad we have a sharp team out there!

So in short, we'd want to sort of strip a system down to ... almost Initial Deployment stage.  Keep the key identifiers for Asset, name, domain, etc, but pull out all of the rest of the basic and/or advanced inventory data.  hmmm...  That might make things tricky though as the advanced inventory data - like hardware - is part of the asset history.

It is optional though, so maybe you pull inventory and if someone doesn't want that, they work around it?  

Thomas Baird
Enthusiast for making things better!

 

Canuck's picture

Awesome, have not checked back with this in a week or so and look at all the support. Thanks Thomas, and everyone else. I will keep checking back to see if there is anything to test out.

Agree with your last post, strip it down to almost initial depoyment keeping all asset and basic inventory, asset location and/or owner changes.

Canuck's picture

Just checking back in hopes to see if anything ever came out of this. I am sure we have all been pulled in many directions, and this is something I would really like to find a solution for. I am just now jumping back into this as it has been a crazy summer. 

Thanks!

Canuck's picture

So I thought I found a way to do this with the follwoing method:

1) Right Click and set the computer to 'Retired'

2) Right Click and run the Cleanup Inventory CMDB task.

Result:

Wipes out basic machine info and seems to take the machine out of the Filter Membership, but NOT the actual filter as a resource. See attached file.

Any ideas why the machine is not in the Filter membership when i perform the above tasks, BUT is still a resource in the filter?

Cleanup.jpg
andykn101's picture

Filters usually only show Active resources.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

Canuck's picture

Gotcha,

So in this case if the machine were to be re-imaged then redeployed out to the field, it would still be associated with those filters and get the unwanted software. Back to square one.

Any ideas?

Thomas Baird's picture

It'd have to get a new GUID, I'm pretty sure.  Not sure how to do that, AND force a resource merge.  I THINK if it gets a new GUID and then merges you'd get the result you want.  I know for instance that any assigned tasks fail.  I would "think" that any assigned policies would fail as well because they're all based on GUID.

SOOOO, if you could force a system to get a new GUID, and then merge with the old resource later, I THINK it would drop out of all those policies.

the real trick is ... how do we do that???

Thomas Baird
Enthusiast for making things better!