SCOM 2012 Planning – Dynamic Computer Group membership – AD Groups

Forum: Operations Manager4
Viewing 15 posts - 1 through 15 (of 15 total)
  • #94141
    Profile photo of ComputerBob
    ComputerBob
    Participant

    This other post is about 2 years old and was for SCOM 2007.  I’m wondering if 2012 has had any improvements to have anything new included in it that would allow a native function so that a scripted option wouldn’t be necessary.

    http://www.systemcentercentral.com/forums/tabid/60/categoryid/4/indexid/63569/default.aspx

    We have servers that are owned by several teams and we already have security groups in AD that determine who is allowed to access them.  It’d be really easy for me to utilize those groups to then show those servers to those teams in the SCOM console.  I’d rather not have to write a custom coded solution if one’s available in the product (I haven’t installed it yet, I’m still in the planning stages).

    I can’t simply say “XYZ team can see all of the SQL servers” either.  That’d be WAY too easy.

    #94142
    Profile photo of Andreas Zuckerhut
    Andreas Zuckerhut
    Participant

    The main issue is that SCOM doesn’t see servers as… servers. It’s just another object of some class, therefore it doesn’t associate an AD Account with the corresponding Windows Computer object in SCOM. Therefore you won’t see an option in the Group Populator that says “this group from AD”… ever

    At least the way I understand it. You might want to drop a feedback on connect regarding this issue though: https://connect.microsoft.com/sc

    #94143
    Profile photo of ComputerBob
    ComputerBob
    Participant

    Thanks for the quick reply. I’ve submitted feedback on the connect page as you suggested. I guess I’ll have to test out running various scripts to get this done. In 2007, I was having the teams populate a registry key and basing SCOM group membership on those keys, but every team has complained about this process. Since the AD groups are already there, and already part of our provisioning process, I was hoping to be able to capitalize on them.

    I could probably get away with doing the “based on OU” group membership for quite a few of the groups, but we’ll have several hundred servers that’ll need to belong to multiple teams and obviously can’t be in 2 OU’s in AD.

    #94149
    Profile photo of Andreas Zuckerhut
    Andreas Zuckerhut
    Participant

    I’ve never checked out that text file approach but I personally would just drop the standard Group Populator module and create a custom discovery. “All you need to do” to populate groups is discovering relationships. Basically a rule that runs on the RMS:

    – Take an AD Group’s CN as a script parameter

    – Get Computer Objects inside the Group

    – Get matching SCOM Windows Computer Object

    – Discover Relationship (usually InstanceGroupContainsInstances)

    Check out Brian’s guide on discovering Relationships http://blogs.technet.com/b/mpauthor/archive/2010/09/23/taking-the-mystery-out-of-discoveries.aspx

    #94178
    Profile photo of ComputerBob
    ComputerBob
    Participant

    Got a notice today that the good folks at Microsoft changed the status of my suggestion without any comments or feedback.

    “Field “Resolution” changed from “Not Set” to “Won’t Fix”.”

    I have no idea why such an obviously useful and easily implementable function is so quickly dismissed, but it is quite frustrating. I can use these groups in SCCM, but the SCOM team assumes I’d have no use for them.

    Edit: Adding link to feedback on connect site as per Pete’s request.
    https://connect.microsoft.com/SC/feedback/details/749909/scom-computer-groups-based-on-ad-groups

    #94179
    Profile photo of Andreas Zuckerhut
    Andreas Zuckerhut
    Participant

    Yea they closed 3 of my items without any comment too. Gotta forward that to Microsoft, it’s kinda disrespectful to just close the item.

    #94181
    Profile photo of Wilson W.
    Wilson W.
    Participant

    I am facing the exact same challenge with my servers. I have servers that belong to multiple groups and subgroups. I’ve settled on using registry keys for alert subscription targeting as well. I had insertion of the reg-key included as part of our provisioning process. The nice thing about this is that this solution leaves the burden of implementing the reg-key on *them*. Therefore, if they aren’t receiving alerts for a particular system it is not my fault. They have to remember to follow their own processes.

    #94182
    Profile photo of ComputerBob
    ComputerBob
    Participant

    Yeah, I’ve been doing it that way for 2 years now. Every team has a different reason why they hate the registry key thing. I’ve even written scripts for them that would do it for them and offered to help them incorporate those lines into existing provisioning processes, but I still get emails like, “Hey, we’ve had this server in production for 3 weeks now and it went down last night and never got a notice until 20 users called us to let us know…we hate SCOM!”

    I’ve spent the last 2 days bouncing around from team to team here trying to find a good solution and I think I may have found one. Each team that owns a server has their security group added to the local admins group of the server (or they wouldn’t be able to even log into it to install their product). If I do a WMI discovery, I can populate classes of computers based on who is allowed to administer them. I’m still testing this option, but if it works I’ll post here to let you all know.

    #94183
    Profile photo of Pete Zerger
    Pete Zerger
    Keymaster

    Forwarding this to my community lead now. I totally appreciate your frustration in lack of dialogue (and it has happened to me too!). I know their are many dedicated people on the product teams eager for dialogue with knowledgeable customers like youselves. Will see if I can drive any progress here. Would be good to have links to your bug reports in this thread if you can find them.

    #94196
    Profile photo of Andreas Zuckerhut
    Andreas Zuckerhut
    Participant

    Got a reply from Microsoft, they actually have a policy in place that demands a comment prior to closing an item, somehow it just wasn’t executed. Let’s see what we get in the future.

    #94199
    Profile photo of Pete Zerger
    Pete Zerger
    Keymaster

    I had a quick e-mail chat with the owners in that area right after my post yesterday and they were VERY responsive and taking steps to make sure this doesn’t happen again.

    #94202
    Profile photo of ComputerBob
    ComputerBob
    Participant

    So, do I need to post again to get an understanding of why they aren’t going to incorporate this function into SCOM? It seems like a very simple function to implement and it’s already used in other System Center tools, so it’s an opportunity to make the user experience a little more uniform across the suite.

    #214660
    Profile photo of Bobgreen
    Bobgreen
    Participant

    Hi, I just wrote my 3rd public management pack at last week. I did it for Operations Manager 2007 R2 and not tested it for OpsMgr 2012. This management pack uses PowerShell and Operations Manager 2007 R2 cmdlets, I don’t know how it will work with 2012.
    http://www.systemcentercentral.com/pack-catalog/group-populator-active-directory-management-pack/

    #214667
    Profile photo of
    Anonymous

    Just tried your MP Bob and it is VERY cool!

    #215423
    Profile photo of Bobgreen
    Bobgreen
    Participant

    MP was updated, now it works on both OpsMgr servers – 2007 R2 & 2012!

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.