Help Center

Follow

Display Changes to Nested Active Directory Security Groups (Inheritance) Preview

Purpose:
PDQ Inventory 12 will contain a fix to the way Active Directory security groups are listed in PDQ Inventory. You wish to preview the changes to how PDQ Inventory will treat nested Active Directory security groups prior to the default inclusion.

Considerations:

  • This KB only applies to PDQ Inventory version 11.
  • This KB only applies to customers using PDQ Inventory in an Active Directory environment with nested security groups.

Warning | Precaución | Auchtung | Mise en garde | Attenzione
This feature has the potential to inflict unintended consequences on existing Deployments, Reports, and other Collections. We encourage you to thoroughly test this feature prior to its default inclusion in Inventory 12 Release 3.

Resolution:
Currently, PDQ Inventory does not list computers in Active Directory security groups that do not have computer objects, even if those security groups have member security groups that do contain computer objects.

For example, the following security group structure exists in Active Directory, represented in Active Directory Users and Computers and hierarchically.

Parent Group (contains no computer objects)
Child01 Group (contains no computer objects)
Child02 Group (contains one computer object)
Child03 Group (contains one computer object)

Creating Dynamic Collections in PDQ Inventory, Child02 and Child03 both show the computers that are members of those groups and only those groups.


Once the feature to list computers in Active Directory nested security groups has been enabled:


The view from PDQ Inventory’s perspective, hierarchically, is now,  

Parent Group (contains two inherited computer objects)
Child01 Group (contains two inherited computer objects)
Child02 Group (contains one computer object + inherited object)
Child03 Group (contains one computer object)


Enable or Disable the Feature*
To enable listing computers in nested AD security groups, perform the following:

1. In PDQ Inventory version 11, go to File > Preferences > Database (or Ctrl+comma > Database) and click on the SQLite Console button. This will open the SQLite console window.
2. In the SQLite console window, type the following command and then press Enter.

Insert into settings (name, value) values ('ActiveDirectorySettings.IncludeInheritedGroupMembers', 'True');

This will add the new record, which does not exist by default.
3. Or, if the new record already exists, type the following command in a SQLite console window and then press Enter.

Update settings set value = 'True' where name = 'ActiveDirectorySettings.IncludeInheritedGroupMembers';

This will enable the feature.
4. Close out of the SQLite console window.
5. Go to File > Preferences > Background Service and stop and start the PDQInventory service.

IMPORTANT: Enabling this feature is an option in PDQ Inventory 11, however, this will be the default behavior in PDQ Inventory 12 and the option to disable the feature will not exist

 

To disable listing computers in nested AD security groups, perform the following:

1. In PDQ Inventory, go to File > Preferences > Database (or Ctrl+comma > Database) and click on the SQLite Console button. This will open the SQLite console window.
2. In the SQLite console window, type the following command and then press Enter.

Update settings set value = 'False' where name = 'ActiveDirectorySettings.IncludeInheritedGroupMembers';

This will disable the feature.

3. Close out of the SQLite console window.
4. Go to File > Preferences > Background Service and stop and start the PDQInventory service.

IMPORTANT: PDQ Inventory 11 will allow you to disable this feature, however, this will be the default behavior in PDQ Inventory 12.

*It is recommended you perform a scan on all impacted computers after enabling or disabling the feature.

Troubleshooting:
If you are not seeing the expected changes to Dynamic Collections or reports, try the following:

  • Run a manual Active Directory Sync by going to PDQ Inventory File > Preferences > Active Directory (Ctrl+comma > Active Directory) and click the Sync Now button. Restart the background service (instructions above).
  • Run a Standard Scan on all computers involved in the AD nested security groups by selecting the computers, select the Scan from the Toolbar and run the Standard scan (F6).
  • Stop and restart the background service again (instructions above).

See Also:
PDQ Inventory Active Directory Synchronization

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.