User attributes checked by Delta Discovery in SCCM 2012

Similar Messages

• System Discovery in SCCM 2012

  How can we exclude specific machines from discovery in SCCM.
  If there are 3000 machines in an OU, and would like only 1000 machines to be managed by SCCM which should be discovered. Is this possible or will it discover all resources ?
  Also if this could be achieved if there are sub OU's ?

  Hi,
  I found a similar thread for your reference.
  Active Directory System Discovery - Specific OU discovery is global
  http://social.technet.microsoft.com/Forums/en-US/c78710ee-800a-4d77-8754-f00e2f591961/active-directory-system-discovery-specific-ou-discovery-is-global?forum=configmanagergeneral
  For more infomation, please review the link below:
  Planning for Discovery in Configuration Manager
  http://technet.microsoft.com/en-us/library/gg712308.aspx
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to configure SCCM 2012 discover user group only?

  Hi,
  I'm wondering if there is a way to discover user group only (ignore computer group) in SCCM 2012?
  Jason

  Hi,
  Also note that by default, only security groups are discovered. However, you can discover the membership of distribution
  groups when you select the checkbox for the option Discover the membership of distribution groups on
  the Option tab
  in the Active Directory Group Discovery Properties dialog box.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCCM 2012 and Exchange 2013 Connector

  Hello all,
  I hope that you are well!
  I have an issue that I can't explain for the moment, maybe someone can help me.
  Actually we have SCCM 2012 SP1 and Exchange 2013 Enterprise in our LAN.
  Now I did the configuration within SCCM of creating a new Exchange Server Connectors, everything seem's to be okay, no warning, no active alert, the Exchange server connection account and so on..
  But I can't see the mobile devices from my user into the All Mobile Devices within SCCM 2012.
  Do I miss something into this specific configuration, certificate or something related !
  Best regards to all of you
  Stephane

  Hello Gerry,
  This is what I got on EassDisc.log
  ERROR: [MANAGED] Invoking cmdlet Get-Recipient failed. Exception: System.Management.Automation.RemoteException: Cannot bind parameter 'Filter' to the target. Exception setting "Filter": "The value "$true" could not be converted to type System.Boolean."~~  
  at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)~~   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)~~  
  at System.Management.Automation.PowerShell.Invoke()~~   at Microsoft.ConfigurationManager.ExchangeConnector.Connector.Invoke(PSCommand cmd)
  ERROR: [MANAGED] Exception: Cannot bind parameter 'Filter' to the target. Exception setting "Filter": "The value "$true" could not be converted to type System.Boolean."
  ERROR: Failed to check status of discovery thread of managed COM. error = Unknown error 0x80131501
  But that is old error, since I configure the Account properly
  Regards to you,
  Stephane

• Workgroup client cannot discovered SCCM 2012 R2

  Hi,
  I have enabled the Network Discovery in SCCM 2012 R2, and defined the subnet of clients that I want to manage. Then IP subnet boundaries has been created. When I see
  Devices in Assets and Compliance, the workgroup clients cannot discovered.
  Communication between the workgroup clients with SCCM server is no issue in the network, by ping and mapping folder share in both is good. Windows firewall on all workgroup clients has configured to allow port File and Printer Sharing and WMI.
  How I can discovered all Workgroup clients?
  Thanks
  Regards, Bar Waelah

  Hi Bar Waelah,
  I think you need to configure the Maximum hops on the bottom of SNMP Tab.
  For more details, please check the Limiting Network Discovery.
  http://technet.microsoft.com/en-us/library/gg712308.aspx#BKMK_NetworkDisc
  You could also specify the IP Address or NetBIOS name of the device in SNMP Devices.
  Best Regards,
  Joyce 
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCCM 2012 R2 ADR issue with proxy authentication

  Hi,
  We're migrating SCCM 2007 to SCCM 2012 R2.
  In SCCM 2007, the proxy server is configured with user authentication, and this works.
  In SCCM 2012 R2, the Software Update Point is installed locally and connected with a local WSUS 4.0 (Server 2012)
  We use a proxy with user authentication for Update Deployment. (This user is the same as configured in SCCM 2007.)
  The Proxy Server is Blue Coat SG.
  The proxy account is used for:
  The Synchronization works, but Automatic Deployment Rule (ADR) doesn't work.
  When an Automatic Deployment Rule is started, it tries to authenticate 3 times.
  The Patchdownloader.log shows:
  Trying to connect to the root\SMS namespace on the <servername> machine.        Software Updates Patch Downloader        11/8/2013
  12:19:06        3608 (0x0E18)
  Connected to
  \\<servername>\root\SMS        Software Updates Patch Downloader        11/8/2013 12:19:06        3608
  (0x0E18)
  Trying to connect to the
  \\<servername.domain>\root\sms\site_ECM namespace on the <servername.domain> machine.        Software Updates Patch Downloader        11/8/2013
  12:19:06        3608 (0x0E18)
  Connected to
  \\<servername.domain>\root\sms\site_ECM        Software Updates Patch Downloader        11/8/2013 12:19:06        3608
  (0x0E18)
  Download destination =
  \\<servername.domain>\dp_wks_ms_updates$\3208bb5e-bcd9-4389-a0c9-02ef33ccb998.1\XPSEPSC-x86-en-US.exe .        Software Updates Patch Downloader        11/8/2013 12:19:07        3608
  (0x0E18)
  Contentsource =
  http://wsus.ds.www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/xpsepsc-x86-en-us_7ae70ca1330a099080c6c41c4d5b7f19b30dc0cd.exe .        Software Updates Patch Downloader        11/8/2013
  12:19:07        3608 (0x0E18)
  Downloading content for ContentID = 16819067, 
  FileName = XPSEPSC-x86-en-US.exe.        Software Updates Patch Downloader        11/8/2013 12:19:07        3608 (0x0E18)
  Try username <domain\ProxyAccount>        Software Updates Patch Downloader        11/8/2013 12:19:07        8364
  (0x20AC)
  Proxy enabled proxy server <proxyserver>:8080        Software Updates Patch Downloader        11/8/2013
  12:19:07        8364 (0x20AC)
  HttpSendRequest failed HTTP_STATUS_PROXY_AUTH_REQ        Software Updates Patch Downloader        11/8/2013
  12:19:07        8364 (0x20AC)
  Download
  http://wsus.ds.www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/xpsepsc-x86-en-us_7ae70ca1330a099080c6c41c4d5b7f19b30dc0cd.exe to C:\Windows\TEMP\CAB6FD2.tmp returns 407        Software Updates
  Patch Downloader        11/8/2013 12:19:07        8364 (0x20AC)
  ERROR: DownloadContentFiles() failed with hr=0x80070197        Software Updates Patch Downloader        11/8/2013
  12:19:07        3608 (0x0E18)
  Then the proxy user account is locked:
  Trying to connect to the root\SMS namespace on the <servername> machine.        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Connected to \\ <servername>\root\SMS        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Trying to connect to the
  \\<servername.domain>\root\sms\site_ECM namespace on the <servername.domain> machine.        Software Updates Patch Downloader        11/8/2013
  12:20:11        3608 (0x0E18)
  Connected to
  \\<servername.domain>\root\sms\site_ECM        Software Updates Patch Downloader        11/8/2013 12:20:11        3608
  (0x0E18)
  Download destination =
  \\<servername.domain>\dp_wks_ms_updates$\e0a54221-3ff2-4129-b7cf-89bf5cd1f726.1\Windows-KB943729-x86-ENU.exe .        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  Contentsource =
  http://wsus.ds.download.windowsupdate.com/msdownload/update/software/updt/2009/10/windows-kb943729-x86-enu_e174c41ce3dcbd5c8922d6d1c39df1be425a70e0.exe .        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  Downloading content for ContentID = 16824262, 
  FileName = Windows-KB943729-x86-ENU.exe.        Software Updates Patch Downloader        11/8/2013 12:20:12        3608 (0x0E18)
  Try username <domain\ProxyAccount>        Software Updates Patch Downloader        11/8/2013 12:20:12        12480
  (0x30C0)
  Proxy enabled proxy server <proxyserver>:8080        Software Updates Patch Downloader        11/8/2013
  12:20:12        12480 (0x30C0)
  HttpSendRequest failed HTTP_STATUS_FORBIDDEN or HTTP_STATUS_DENIED        Software Updates Patch Downloader        11/8/2013
  12:20:12        12480 (0x30C0)
  Download
  http://wsus.ds.download.windowsupdate.com/msdownload/update/software/updt/2009/10/windows-kb943729-x86-enu_e174c41ce3dcbd5c8922d6d1c39df1be425a70e0.exe to C:\Windows\TEMP\CAB6E4B.tmp returns 403        Software Updates
  Patch Downloader        11/8/2013 12:20:12        12480 (0x30C0)
  ERROR: DownloadContentFiles() failed with hr=0x80070193        Software Updates Patch Downloader        11/8/2013
  12:20:12        3608 (0x0E18)
  The RuleEngine.log shows:
  Failed to download the update from internet. Error = 403 SMS_RULE_ENGINE 11/8/2013 16:18:25 3608 (0x0E18)
  Failed to download ContentID 16824467 for UpdateID 16819978. Error code = 403 SMS_RULE_ENGINE 11/8/2013 16:18:25 3608 (0x0E18)
  It seems that the ADR uses a wrong password when authenticating with the proxy, but this same user works when synchronizing with WSUS.
  We performed the following actions with no result:
  run the ADR manually and automatic,
  reinstalled WSUS and SUP,
  changed proxy user account.
  Regards,
  Matthias

  Currently, the command shows:
  Current WinHTTP proxy settings:
      Direct access (no proxy server).
  We've been testing with:
  upddwnldcfg.exe /s:<proxyserver>:<port> /u:<user> /allusers
  psexec -i -s iexplore.exe, set Internet Explorer proxy manually
  All with same result, proxy user getting locked when ADR runs.
  (These settings have been removed after the test.)
  I think dekac99 would suggest netsh winhttp set proxy or import proxy.
  then turn off proxy use on the role SUP (this way not SCCM will send auth but all winhttp will use proxy)
  the problems with that for me are:
  - if MS implemented role-based proxy usage, why set at http layer - of course this might work as a workaround for the time being so it might be a good idea but I'm just not sure what unwanted issues it may cause
  - the other thing is where I'm not sure, with set proxy you cannot define authentication account. if you use import from IE and the IE prompted for proxy auth, the stored credential will be used on winhttp layer (though I'm not 100% sure of that) - so this
  is just too uncontrolled for me
  - upddwnldcfg.exe will need to run in the name of system account (it stores credentials under HKCU so far I know it will be a per user based setting)
  --> what confuses me, the catalog synch works which should use the same configured proxy and account(?), only ADR does not work. shouldn't they both use the same process for sending account auth info?

• SCCM 2012 Reporting Only

  Hello,
  I'm looking for a way to only allow some users to use the reporting function of SCCM 2012. So far it seems as I grant permissions they get access to other parts of SCCM as well. Is there a way to configure their account to only view and run reports as need?
  If so, could you please explain the process? Thanks!
  Pat
  Pat

  I'm having some issues. I wanted to take screen shots but it won't allow me to paste on the forum. I'm a full administrator of SCCM. When I view my different reporting options I have 58 category of reports which there are more reports inside each category.
  I followed the directions from the links provided but when my user goes to view the reports they do not see as much as I do. I don't know the exact amount of reports he can view but I think it's about 11. I'm not sure how to allow the rest of the reports to
  be visible. I went down each security setting and if it had the option to "Run Report" and made sure it said "Yes". Any help is appreciated.
  Pat

• Report on Active Directory User Attributes in SCCM 2012

  I need to output a list of all users in a collection, along with certain user attributes from Active Directory. I can get part of what I need with the following query:
  SELECT v_FullCollectionMembership.ResourceID,
  v_R_User.Windows_NT_Domain0,
  v_R_User.Distinguished_Name0,
  v_R_User.Full_User_Name0,
  v_R_User.Mail0,
  v_R_User.User_Name0
  FROM v_FullCollectionMembership, v_R_User
  WHERE v_FullCollectionMembership.ResourceID = v_R_User.ResourceID
  AND v_FullCollectionMembership.CollectionID = 'SMS00002'
  If possible I need to add:
  Last logon timestamp
  User account status (enabled or disabled)
  I have added "lastLogon" and "lastLogonTimestamp" as additional attributesunder Active Directory User Discovery. This discovery method is enabled and I have run a full discovery about a month ago, and again today. I read in
  another thread that these attributes should appear in the table v_R_User, however they have not. Is v_R_User the right place to look for this or is there another view or table I can query?
  Once I have the above sorted out, how can I find the user account status in SCCM? I have done reports in the past directly from AD and used the 'useraccountcontrol' attribute and I noticed there is a column named 'User_Account_Control0' in v_R_User, however
  the values do not match those found in Active Directory.
  Thanks.

  Have you checked the attribute from the Active Directory in decimal format? Check that and compare it to the value ConfigMgr has stored in its 'User_Account_Control0'...
  User Account Control tells you multiple things of the account, for example does the account have "Smart card login required" -option checked from the account properties.
  The tricky part here is to actually get the report show you what you really want, because "useraccountcontrol" -attribute is a numeric value, you have to calculate what decimal combination means what in readable text.
  More info on the attribute can be found from here
  http://support.microsoft.com/kb/305144 and from there you can also find the values for different settings. For example:
  account is enabled = 512
  account is disabled = 514
  account is enabled with smart card = 262656

• SCCM 2012: Active Directory Group Discovery, Delta Discovery?

  Hi,
  Our scenario:
  *Software is requested via a seperate system which puts AD computer objects in groups
  *Software within SCCM 2012 is deployed to computer collections
  *Computer collections query AD groups, in those AD groups the pc's reside
  *Collections memberships run via AD query (every 20 minutes)
  *We deploy an OS (Windows 7) via SCCM
  *Machine policy is updates every 20 minutes
  What is important: AD Group discovery is set to full discovery every 7 days, delta discovery set to 15 minutes
  So what happens:
  *Pc is staged correctly with Windows 7 but software isn't coming through in time (sometimes it's there within the hour, sometimes it takes 6 hours)
  *If we run a full AD Group discovery mostly software is installing immediately
  *Sometimes a SCCM 2012 client machine reset policy or reinstall client solves the problem
  My questions:
  *Would it be better to run full discoveries every x minutes since this always solves our problem
  *Would it be better to disable the delta discovery if we do the change above to minimize AD queries
  => tried that now (full discovery every 30 minutes and disabled delta discovery) but I don't want to put to much pressure on our domain controller
  *Our software collections are limited to all systems, we could limit them to a Windows 7 collection. Probably we should do that but any suggestion how to do this safely in Powershell?
  Please advise.
  J.
  Jan Hoedt
  Note: what I don't get is why a full ad discovery system discovery sovles the problem since SCCM 2012 collections do a AD query, what 's the link there?

  So, let me see if I get this correct for our situation:
  Our own developed system puts pc’s in AD groups
  SCCM 2012 polls these groups, by default 1/week full discovery then every 30 minutes a delta discovery
  We deploy software to computer collections, these collections check the SCCM 2012 database every 30 minutes (collection update) Note: the query our collection do, is based upon requirement of Windows 6.1 + membership of an AD group.
  The SCCM 2012 client/computer does a computer policy update every 30 minutes to see what collections it is member of and see then the software to be deployed
   2 questions:
  *Our my assumptions correct? Specifically point 3.: is the query fully coming from an ad sync (or also from sccm client, f.e. Windows 6.1%)?
  *Don’t we have a step to much then, wouldn’t it be better to add a direct membership of the AD group within SCCM? This direct membership would mean no query and so save us about 20 minutes (run of query)?
  Jan Hoedt

• User Attribut doesn't get removed

  Hello Experts
  I recently added a new user attribut to the "Active Directory User Discovery" which i use in a new query based user collection. This actually works pretty well and the attribut shows up in the user properties.
  But if i remove the attribute value in active directory via the attribute editor, the old value still exists in configuration manager 2012 r2 even after a week. I manually initiated a Full User Discovery but the value is still there and doesn't show
  as empty.
  Is this a normal behaviour?
  Thanks in Advance
  Regards,
  Simon

  Hi,
  I guess that SCCM doesn't remove the existed attribute value if you remove the user attribute from Active Directory User Discovery and it just detects these attributes you added. You could try to discover a new user to see whether there is a value for
  the attribute after removing the attribute. If there is no value, I think Narcoticoo's suggestion could help you to clear the old value.
  Best Regards,
  Joyce Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCCM 2012 Discovery Problems

  Hi everyone.
  I just installed SCCM 2012 on windows Server 2012 R2 and it on (real) HOST PC not a VM.
  before I installed SQL 2012 And domain on same server. i know it's Far not recommended. but 
  Problem is my SCCM 2012 cannot discover any device in my network,when OS it self (in: my computer\ My network) can see all the host pc that i have in my environment.
  i turned on all the methods of discovery.
  Please help.

  i tried everything, even reinstall, everything from beginning,
  1. install Win Server 2008 R2, install all updates, and then activate it.
  2 Roles : a. Active Directory Domain Services
                 b. DNS
                 c. File Services
                 d. web Server (IIS)
                 e. WSUS
  3. made container :System management
  . WSUS + updates WSUS-KB2720211-x64,  WSUS-KB2734608-x64
  .opened ports 
  .did  changes in IIS
  . install SQL 2012   with cuml Updates "SQLServer2012-KB2703275-x64"
  . checked TCP/IP
  . installed windows assessment and deployment kit for win 8.1
  and finally
  .installed SCCm 2012 R2 . without any errors, just 2 warnings.
  pc is Domain controller and wind Firewall
  BUt still no sense
  no users or devices in assets and compliance

• How to do the new created field in User Attributes, show in Manager GTC

  Hello Guys,
  I have a Connector GTC working perfectly. Now I created a new field in User Attributes and I need make this field appear in "Modify Connector Configuration" of "Manage Generic Connector" without having to create a new Connector.
  If I create a new Connector this field is showed normally, but this connector has a lot of mapping between the existing fields, I need only that a new field is displayed.
  How to I do this?
  Thanks

  Not sure what version of OIM you are using but check Bug: 12812650
  -Bikash

• OIF11g - Help on sending user attributes in HTTP header

  Hello, I have a OIF11g setup configured for both IdP and SP. Upon successfull authentication against LDAP, I need to end some user attributes on the HTTP header to the SP application. I do no have OAM in my setup, so there is no option of Webgate or Policy Manager to do that. As far as I read the config doc, I'm in the impression that we need to write a custom authentication engine to accept user credentials and code to authenticate against LDAP and also add attributes to the response header.
  Before I go down that path, just wanted to confirm if anybody has done this with OIF?
  Thanks,
  Sunil.

  Bernhard:
  Actually the headers are not set to null. I have an intermediate index.jsp page which is the first page that is redirected to by the AM - it is this page which calls my LoginServlet.
  The value appears consistently on this index.jsp page but after it is forwarded to the LoginServlet it starts behaving inconsistently. I check the system.out log in my websphere /logs folder and that tells me that LoginServlet does not consistenly get these values from the header.
  The wierd part is that if I use cookies or attributes, it works perfectly - each time every time. However, only in the case of headers (which is the method i am required to do) it behaves inconsistently.
  ANY feedback/help on this would be really appreciated bern.. thanks..
  ~saahil

• OIM 11g: UDF disappears from User Attributes page

  Hi,
  I was modifying a user defined attribute using the 11.1.1.3 User Attributes configuration page. All I did was change its category to move it to another section of the user profile page. The last remaining field in the category 'disappeared'. It just went from the list of fields in the category. The field still exists on the USR object and still contains all the values. But it's gone from the UI.
  I exported the /file/User.xml from MDS and sure enough the missing attribute is not present in the User.xml file. It is there for the mapping to the back end column, and in another element. But the element that describes the field proper is not there. I've since added the attribute element back in manually and re-imported the metadata using the weblogic environment manager, but the field still does not appear.
  So, my question is does anybody know where else OIM stores the attribute details? Is it in the DB somewhere and merely mirrored in the MDS? What do I need to do to restore the field? (I can't add it in because it says it already exists.)
  Thanks

  PeachEye,
  I was unable to see the UDF's I had created on the user form until I set up a policy for them. Please check the policy around the UDF's.
  I am hoping this can help you.
  From Oracle documentation:
  User's Guide for Oracle Identity Manager
  11g Release 1 (11.1.1)
  E14316-03
  User-defined fields (UDFs) can be added by creating a policy and
  adding attributes in the self service user management
  administration policy in Oracle Identity Administration. To add
  the User defined attributes for view or modification under the
  Attributes tab, these UDFs need to be added to the modify user
  data set for self-service. Also, a custom policy needs to be created
  under self service user management to grant permission to view
  and/or modify these attributes.
  For details on authorization policies, refer "Creating and Managing
  Authorization Policies" on page 15-2.

• Updating values dynamically in an user attribute which is lookup field

  Hi All,
  Can I have a pre process event handler to update the values in the lookup field on my create user page? I have two user attributes - one is the default organization and the other is a user created Country attribute. Both of these are Lookup fields. I want to update the country lookup field by checking what is selected in the organization lookup field. Is this possible in OIM?
  Not sure if pre process event handler is the way to go but this is what I want to achieve. Can anybody guide me regarding the same?
  Thanks,
  $id

  OK, here's my shot at a walkthrough... let me know if I missed any steps.
  1. From your original post, you are using two lookup fields. I'm use a base VM for testing, so I needed to create two. I went with City and State (I know they are OOB, but this is just an example).
  - Created Lookup.Custom.City and Lookup.Custom.State Samples:
  Lookup.Custom.City
  Code Key-Decode
  Miami-Florida
  Orlando-Florida
  New Orleans-Louisiana
  Lookup.Custom.State
  Code Key-Decode
  Florida-Florida
  Lousiana-Louisiana
  - Creating Custom UDF Attributes: Advanced->User Configuration->Actions->User Attributes (LOV's)
  -- Office City and Office State
  2. Use weblogicExportMetadata.sh to export /metadata/iam-features-requestactions/model-data/CreateUserDataSet.xml
  3. Edit CreateUserDataSet.xml to add:
  <AttributeReference name="Office State" attr-ref="Office State" available-in-bulk="false" type="String" length="20" widget="lookup" lookup-code="Lookup.Custom.State" required="false" mls="false"/>
  <AttributeReference name="Office City" attr-ref="Office City" type="String" length="30" widget="lookup-query" available-in-bulk="false">
  <lookupQuery lookup-query="select City.LKV_ENCODED as City from (Select LKV_ENCODED , LKV_DECODED  from LKU LKU, LKV LKV where lku_type_String_key = 'Lookup.Custom.City' and lku.lku_key = lkv.lku_key) City, (Select LKV_ENCODED, LKV_DECODED from LKU LKU, LKV LKV where lku_type_String_key = 'Lookup.Custom.State' and lku.lku_key = lkv.lku_key and lkv_decoded='$Form Data.Office State') State where State.LKV_ENCODED = City.LKV_DECODED order by City" display-field="City" save-field="City"/>
  </AttributeReference>4. Use weblogicImportMetadata.sh to import CreateUserDataSet.xml
  5. Run ./PurgeCache ALL (same directory)
  6. Go to request - create user (this example is for request based provisioning)
  7. If all went ok, when you select State, let's say Florida, then when you then click on city lookup, you will only see Orlando and Miami. If you toggle the state to Louisiana, you'll need to click search again on city and New Orleans should be the only one that comes up.