Raphael Burri's blog

Mostly about Systemcenter Operations Manager 2012

AD Integration based on OU membership

Posted by rburri on October, 27 2008

Introduction

Operations Manager 2007 integration into Active Directory can significantly reduce the administration efforts. Agents rolled out using software delivery or even as part of the OS image read their configuration information (management group membership, primary and fail-over server) from AD. The rules are maintained using the ‘Configure Active Directory (AD) Integration‘ wizard inside OpsMgr’s Administration workspace. It allows grouping agent computers on the value of attributes of their computer accounts. Attributes include:

  • name
  • description (in AD)
  • location (in AD)
  • operatingSystem
  • memberOf (Security Group Membership)

Assigning configuration to agents based on their computer accounts’ OU (Organizational Unit) membership is not directly possible.

Enable OU based rules (two options)

In order to group the computer accounts extra steps are required. One approach has been described by Pete Zerger and Anders Bengtsson in the Active Directory Integration Walkthrough on SystemCenterForum. The paper explains how Security Groups can be created for each Organizational Unit container an integration rule should be created for. 

While this works very well I did not like the idea of having to create extra security groups just to enable OU based rules. The reason why OU grouping does not work out of the box is that the LDAP provider does not accept wildcards on the ‘distinguishedName‘ attribute which contains the OU location information of the computer account. So I thought I was going to simply copy that information into an otherwise unused attribute field. Good candidates are ‘comment‘ or ‘info‘. Their syntax is unicode string so the LDAP provider does accept wildcards.

To make things work automatically I wrote a script and included that into an management pack. The rule is targeted at domain controllers. That way any newly added or moved computer automatically gets assigned to the correct management group. A sample LDAP query string does now look like this:

(&(sAMAccountType=805306369)(!(primaryGroupID=516))(info=*,OU=SubUnit,OU=OrgUnit,DC=Domain,DC=info))

Management Pack Sample

The sample management pack can be downloaded here:

Custom.AD.Integration.OUExtension.xml MP V 1.0.0.0 (rename after downloading – it is a zip file)

I do not recommend using this MP in your production environment. Instead review its content, test it and reuse the bits you find usable in your own MP.

The sample contains the rule “Custom.Write.ComputerDN.to.Attribute.Rule” which calls the script “Custom.Write.ComputerDN.to.Attribute.vbs“. Note that the attribute can be easily changed from ‘info’ to whatever your prefer. Using ADSIEdit.msc you can check if the rule is working as expected.

One Response to “AD Integration based on OU membership”

  1. […] of Raphael Burri – https://rburri.wordpress.com/2008/10/27/ad-integration-based-on-ou-membership/ Published Wednesday, December 03, 2008 4:59 PM by walterch Filed under: […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: