Schuff at myITforum.com

Blog it to log it!

Using SCCM discovery to filter collections by AD Activity

Those of you that are using the Enhanced System Discovery Tool are already familiar with this procedure.  But what if you don't have ESD but do indeed have SCCM deployed? You can still pull this attribute into ConfigMgr and then use it throughout your queries and collections.

The first thing you will need to do is modify your AD System Discovery properties to include the whenChanged attribute.  This can be found under the Active Directory attribute.

Once you have added this attribute you will want to select the Polling Schedule tab and checkbox the Run discovery as soon as possible if you want the new data for the whenChanged attribute to start showing up right away.  Keep in mind this will increase system activity during this activity.

whenChanged

And to verify that it is indeed collecting it you can click on properties on a resource in the All Systems collection and browse through the data discovery data to see the new whenChanged property as well as its value as shown to the right.  The values may take awhile as your System Discovery runs and you may also discovery many Null values as well.

whenChanged data

Now that you have your new whenChanged property being populated into ConfigMgr you will simply need to create a query to utilize this data for your own benefit. Here is an example of a query that displays all machines that have an AD Activity Greater than 28 Days (Using whenChanged property):

select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System   where (DateDiff(day, whenChanged, GetDate()) > 28)

Now simply add that query into one of your collections and you can use the collection as a targeting or clean collection or how ever you prefer to use it.

P.S.  Once you paste this query statement into the query language window you will not be able to go back to the Show Query Design window as the DateDiff function is not supported in that view.  It has no effect on the query or results though.

Posted: May 07 2008, 10:53 AM by jscheffelmaer | with 2 comment(s) |
Filed under:

Comments

Torsten said:

I haven't looked at this in deep detail, but are you sure that this is really working as expected?

If you have a look at msdn.microsoft.com/.../ms680921(VS.85).aspx you will see that "This value is not replicated and exists in the global catalog". So every GC could have a different value for 'whenchanged'. Depending on the GC that will be used for discovery (at that my differ from discovery cycle to discovery cycle) you may get varying results.

But as mentioned: that's just theoretical thoughts to bring up your attention to a potential issue.

# May 9, 2008 4:12 AM

jscheffelmaer said:

That is a very good thought Torsten but the way it was described to me was that even though the whenChange attribute does not replicate, any other attribute that does replicate such as computer password or description, etc; that then the local DC forces an update on the whenChanged attribute since the computer object did indeed change from another attribute that was replicated/updated.  Thus it should always be accurate as far as computer age goes.

Thanks for the comment!

# May 9, 2008 12:43 PM