Active Directory Security Group Discovery in Systems Management Server 2003 Service Pack 2 (923114)

MORE INFORMATION

Configuration

Active Directory Security Group Discovery is configured exactly as other Active Directory discovery methods are configured.

Discovery data records (DDRs)

When Active Directory Security Group Discovery is run, DDRs are created for the groups that are discovered. DDRs are stored in the SMS\Inboxes\Auth\Ddm.box folder and start with "asg."

DDRs contain the following properties.

Property name	Description
Unique usergroup name	Group name that uses the domain\name format
Usergroup name	Group name
Active Directory organizational unit (OU)	OU array in which the group is located (if the OU is nested, the parent OUs are listed)
Microsoft Windows NT domain	Domain name
Active Directory domain	Fully qualified domain name
Security identifier (SID)	SID for the group

Database entries

Security groups that are discovered are stored in the User_Group_DISC table in the SMS database. The OUs that contain the security groups are stored in the User_Group_Active_Directory_Or table. The OUs are linked to the groups in the User_Group_DISC table by the ItemKey value.

Collections

A new collection that is named "All Active Directory Security Groups" is added. This collection uses the following Microsoft SQL Server query to list all groups that are discovered by Active Directory Security Group Discovery.

select * from sms_r_usergroup where Agent_Name = 
'SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT'

Site Control file

Active Directory Security Group Discovery Agent settings are stored in the "SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT" section of the Site Control file.

Windows Management Instrumentation (WMI)

The following properties are added to the SMS_R_UserGroup class in the SMS WMI provider:

• ActiveDirectoryDomain
• ActiveDirectoryOrganizationalUnit

These properties let administrators create collections of security groups that are based on domain membership or on OU membership. For example, the following WMI query looks for security groups that are based on domain membership.

select * from SMS_R_UserGroup where ActiveDirectoryDomain = "domain.com"

The following WMI query looks for security groups based on OU membership.

select * from SMS_R_UserGroup where ActiveDirectoryOrganizationalUnit = 
"DOMAIN.COM/SALES OU"

Logging

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Activity that is generated by the Active Directory Security Group Discovery Agent is logged in the Adsgdis.log file. DDR processing activity is logged in the Ddm.log file. For a user to receive an advertisement that is based on security group membership, the security group must be in the user's access token. When a user is added to an Active Directory security group, their access token is not updated until the user logs off and then logs back on to the domain. To see the list of groups in a user's access token, type whoami /groups at the command prompt. (The Whoami.exe tool is included in Microsoft Windows XP Support Tools.)

To enable verbose logging, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then right-click the following registry subkey:

   HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components\SMS_AD_SYSTEM_GROUP_DISCOVERY_AGENT

3. Right-click Verbose Logs, click Modify, type 1 in the Value data box, and then click OK.
4. Exit Registry Editor.
5. Click Start, click Run, type services.msc, and then click OK.
6. In Services, restart the SMS Executive service, and then close Services.