Microsoft KB Archive/923114

= Active Directory Security Group Discovery in Systems Management Server 2003 Service Pack 2 =

Article ID: 923114

Article Last Modified on 2/13/2007

-

APPLIES TO


 * Microsoft Systems Management Server 2003 Service Pack 2

-



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



INTRODUCTION
This article discusses Active Directory Security Group Discovery in Microsoft Systems Management Server (SMS) 2003 Service Pack 2 (SP2). Active Directory Security Group Discovery lets enterprises discover security groups and target them for software distribution. SMS 2003 SP2 can discover Local, Global, and Universal security groups in the Active Directory directory service.



Configuration
Active Directory Security Group Discovery is configured exactly as other Active Directory discovery methods are configured.

Discovery data records (DDRs)
When Active Directory Security Group Discovery is run, DDRs are created for the groups that are discovered. DDRs are stored in the SMS\Inboxes\Auth\Ddm.box folder and start with “asg.&quot;

DDRs contain the following properties.

Database entries
Security groups that are discovered are stored in the User_Group_DISC table in the SMS database. The OUs that contain the security groups are stored in the User_Group_Active_Directory_Or table. The OUs are linked to the groups in the User_Group_DISC table by the ItemKey value.

Collections
A new collection that is named “All Active Directory Security Groups” is added. This collection uses the following Microsoft SQL Server query to list all groups that are discovered by Active Directory Security Group Discovery. select * from sms_r_usergroup where Agent_Name = 'SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT'

Site Control file
Active Directory Security Group Discovery Agent settings are stored in the &quot;SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT&quot; section of the Site Control file.

Windows Management Instrumentation (WMI)
The following properties are added to the SMS_R_UserGroup class in the SMS WMI provider:
 * ActiveDirectoryDomain
 * ActiveDirectoryOrganizationalUnit

These properties let administrators create collections of security groups that are based on domain membership or on OU membership. For example, the following WMI query looks for security groups that are based on domain membership. select * from SMS_R_UserGroup where ActiveDirectoryDomain = &quot;domain.com&quot; The following WMI query looks for security groups based on OU membership. select * from SMS_R_UserGroup where ActiveDirectoryOrganizationalUnit = &quot;DOMAIN.COM/SALES OU&quot;

Logging
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Activity that is generated by the Active Directory Security Group Discovery Agent is logged in the Adsgdis.log file. DDR processing activity is logged in the Ddm.log file. For a user to receive an advertisement that is based on security group membership, the security group must be in the user’s access token. When a user is added to an Active Directory security group, their access token is not updated until the user logs off and then logs back on to the domain. To see the list of groups in a user’s access token, type whoami /groups at the command prompt. (The Whoami.exe tool is included in Microsoft Windows XP Support Tools.)

To enable verbose logging, follow these steps:  Click Start, click Run, type regedit, and then click OK. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components\SMS_AD_SYSTEM_GROUP_DISCOVERY_AGENT

 Right-click Verbose Logs, click Modify, type 1 in the Value data box, and then click OK. Exit Registry Editor. Click Start, click Run, type services.msc, and then click OK. In Services, restart the SMS Executive service, and then close Services.</ol>

Keywords: atdownload kbsmsdiscovery kbinfo KB923114

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.