During a recent client engagement, we needed to create groups based upon Organizational Unit (OU). We found that our Windows 2008 servers were identified correctly as members of the group but the Windows 2003 servers in the same OU were not showing up as members of the group. Digging on the web we found that there is an issue with Windows 2003 servers and OU membership: http://www.systemcentercentral.com/Forums/tabid/60/indexId/93243/Default.aspx?tag=#vindex93255. To address this issue the hotfix identified was applied to the first test system identified with this issue. How can we quickly identify what Windows 2003 servers are monitored by OpsMgr 2012? We created a group in OpsMgr with criteria that that identified that the Organizational Unit field did not have a ,. In LDAP a , will be part of the string so the results for this group are all servers that do not have their organizational unit filled in. The dynamic group membership is shown below.
To remove the agentless managed systems which appear (because they do not have an organizational united defined), we add a second criteria based on the Active Directory SID being blank (Active Directory SID Matches regular expression . taken from http://blogs.catapultsystems.com/cfuller/archive/2008/12/19/create-a-computer-group-for-systems-without-an-ad-site-in-opsmgr.aspx) as shown below.
The criteria defined in the query builder is shown below.
Summary: Looking for what servers are not properly identifying their OU in OpsMgr? Create a group where the Organizational Unit does not contain a comma and the Active Directory SID matches regular expression “.” This group membership can then be targeted for hotfix deployment.