Purpose
This document shows how to use features within Shavlik Protect Machine Groups to dynamically manage systems found within Active Directory or a Domain.
Description
Within Protect it is possible to dynamically perform scan and deployment on machines managed via Active Directory or within a domain. To set up a Machine Group that can be used for this, follow the below steps:
Adding an Active Directory OU to a group
1) Create a new machine group by going to the 'New' Menu > Machine Group...
2) Name the group, click the 'Organization Unit' tab, then type in the specific OU name if you know it, or the easier method is generally to click 'Browse Active Directory'.
3) Expand the containers as necessary, then check the box next to 'Computers' for any domain computers you want to be included in your scans. If you want only machines in the root of the OUs to be scanned, unselect the "Include child OUs" checkbox on the bottom left hand corner of the "Select Organizational Units or Machines" screen.
4) Click 'Add checked items'.
5) You will see the OU listed in the machine group.
Set credentials that will have admin access to all the machines.
To do this, right click on the OU listed, then choose Set Credentials > Set admin credentials.
6) Choose the proper credential to use, then click 'Assign'.
7) You should now see the OU listed with Admin Credentials set. Click 'Save' to save your machine group.
8) Try running a scan on the group to test. As you can see in the example below, it should automatically pick up any machines that are part of the OU selected.
This function is dynamic when you check the box to include all computers of a domain. If you later add or remove machines from the OU in active directory, the machine group will automatically pick up on this when being used to run new scans in Protect.
Adding an entire Domain to the machine group
1) In the machine group, go to the 'Domain Name' tab.
2) Type in the domain name, then click 'Add'.
3) Ensure to set admin credentials.
This feature will work dynamically as well. Whenever you use a machine group with a domain specified the scan will only discover machines currently part of the domain records.
Additional Information
1) If you set up a group as shown as the example above (containing a domain name and OU that would contain the same machines), Protect will be able to determine the same machine is being discovered/scanned twice and will only display one scan result for the machine.
2) You can add multiple domains and active directory OUs within a single machine group.
3) When first setting this up, it's likely you will run into some scanning errors (machines not scanned). Generally these happen due to some configuration or environmental problem. Refer to this document on how to fix such scan errors: Troubleshooting Shavlik Protect patch scan error messages
Affected Product(s)
Shavlik Protect, All Versions