Computer Dynamic Group Membership Rule Distinguished Name

Question

Hello,

I want to create a dynamic group including all computers with a Distinguished Name containing "CRETEIL".
Unfortunately, the membership rule "Computer distinguishedName Contains CRETEIL" doesn't return any items while many computers have "CRETEIL" in their Distinguished Names (see screenshot below).

For information, the correct domain is used.

In advance, thank you for your help.

Regards,

For information, the correct domain is used. In advance, thank you for your help. Regards,

Terrance.Crombie · Answer

Hello, 
 This is an Active Directory limitation. The distinguishedName attribute is a computed attribute, based on the objects's location: it is not a "real" attribute and it is not possible to perform a wildcard ("Contains") search on a computed attribute via LDAP. 
 There are a number of different workarounds, depending on your needs and your environment. 
 For example, if you only have a handful of these containers, then an "Equals" search with the full distinguishedName will return results. 
 You could also create an Automation Workflow which stamped an Active Roles Virtual Attribute on all computer objects within one or more folder structures and then target your Dynamic Group at the stamped attribute. 
 You could also introduce this as a real-time provisioning process, triggered by creation in or a move into/out of a folder tree. 
 You might also be able to create a complex LDAP query using the LDAP_MATCHING_RULE_IN_CHAIN OID, but that comes with its own issues as it isn't fully supported in an Active Roles Dynamic Group.

Endpoint Privilege Management

Computer Dynamic Group Membership Rule Distinguished Name