Finding Broken Agents by extending AD Import

One of the hardest tasks of an Altiris Administrator is maintaining agent coverage across the estate by ensuring all machines are managed and remain managed. This article will provide a brief guide on how to extend the AD import to include the pwdLastSet and lastLogonTimeStamp attributes of the computer accounts (see http://blogs.technet.com/b/ken_brumfield/archive/2008/09/16/identifying-stale-user-and-computer-accounts.aspx for further details of these attributes) and how to compare that data to the last configuration request data of the Symantec Management Agent to determine if there are any machines that are likely to have a broken agent. See screenshots.pdf for pictorial representation of the expected outcome of some of the steps.

The first step is to create a custom data class (I have attached the data class I created - Comp_Acct_Updates.xml) to store the data in;

1. In the Symantec Management Console browse to Settings > All Settings > Notification Server > Resource and Data Class Settings > Data Classes > Inventory.
2. Right Click on the 'Custom' folder and select New > Editable Data Class.
3. Provide a logical name for the data class. I have called mine Comp_Acct_Updates which will in turn create a SQL table named Inv_Comp_Acct_Updates.
4. Click add new attribute.
   • Provide a logical name for the attribute. I have called mine Last PWD Change which will create a column of that name in the above SQL table.
   • Select 'Date' as the Data Type.
   • Select 'Required'.
5. Click add new attribute.
   • Provide a logical name for the attribute. I have called mine Last Logon which will create a column of that name in the above SQL table.
   • Select 'Date' as the Data Type.
6. Ensure that 'Multiple Rows' is NOT selected.
7. Click Save Changes

The next step is to assign the data class you have just created to the Computer resource type to allow us to import the data against computer accounts.

1. In the Symantec Management Console browse to Settings > All Settings > Notification Server > Resource and Data Class Settings > Resource Types > Asset Types > IT and select 'Computer'.
2. Scroll to the bottom of the page and select 'Add data classes'.
3. Expand 'Inventory' folder.
4. Expand 'Custom' folder.
5. Select the data class you created above.
6. Click save changes.
7. Untick 'allow edit'.
8. Click save changes.

Now we need to edit the AD import rule for computer accounts to import this additional data and write it to the data class you created above.

1. In the Symantec Management Console browse to Settings > All Settings > Notification Server and select 'Microsoft Active Directory Import'.
2. On the 'import computer resources' rule select the 'default column mappings' hyperlink.
3. On the left hand side scroll to the data class that you created above and tick it.
4. Set the following options;
   • Import Options: Only if resource is = Managed.
   • Import Options: Treat data as = not selected.
   • Attribute Mappings: Last PWD Change - click on (Null)
     • Directory entry attribute = pwdLastSet
     • Define Processing Steps = File Time (UTC) (although local time may be preferable for some customers)
     • click OK
   • Attribute Mappings: Last logon - click on (Null)
     • Directory entry attribute = lastLogonTimeStamp
     • Define Processing Steps = File Time (UTC) (although local time may be preferable for some customers)
     • click OK
   • Click OK
5. Click Save Changes.

The final step is to build a report that will compare this data and show machines that are likely to have a broken agent (although this data could also be used to create a filter to add to the push computers schedule or used in a workflow to create a Service Desk ticket to get the client looked at by field engineering etc.). These steps will talk you through creating a very basic report using 30 days as the key number of days to consider an agent broken, however I have attached a report where this number is configurable within the report.

1. In the Symantec Management Console browse to Reports > All reports and then to a folder where you store your custom reports of this type.
2. Right click and select New > Report > SQL report.
3. Provide a logical name for your report, I have called mine 'Broken Agents' (see attached - broken agents.xml).
4. If you would like the report user to only be able to report on computer resources that they have read permission for then replace the content of the 'Paramaterized Query' tab with the below SQL query. If you would like them to see all computers regardless of permissions then remove the lines highlighted in bold.

   • DECLARE @v1_TrusteeScope nvarchar(max)

        SET @v1_TrusteeScope = N'%TrusteeScope%'

     select vce.Name, acct.[last pwd change] 'Last Computer Account PWD Change', acct.[last logon] 'Last Computer Logon', mrt.Request 'Last Altiris Config Request' from vComputerEx vce

     left join inv_comp_acct_updates acct on acct._resourceguid = vce.Guid

     left join (select ccr._resourceguid, MAX(ccr.StartTime) Request from Evt_NS_Client_Config_Request ccr group by ccr._resourceguid)mrt on mrt._ResourceGuid = vce.Guid

     where datediff(day,mrt.Request,getdate()) > '30' and (datediff(day,acct.[last logon],getdate()) < '30' or datediff(day,acct.[last pwd change],getdate()) < '30')

     and vce.guid IN (SELECT [ResourceGuid] FROM [ScopeMembership] WHERE [ScopeCollectionGuid] IN (SELECT [ScopeCollectionGuid] FROM dbo.fnGetTrusteeScopeCollections(@v1_TrusteeScope)))

5. Click Save Changes.

N.B. the data we have imported above can have a multitude of uses, for example if a client is inactive in both locations the asset status could be set to missing and an automation policy created to email the last logon user or primary user to ask them to confirm the assets status.