Kevin Holman's System Center Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of UseAre you interested in having a dedicated engineer that will be your Mic

OpsMgr: How to create a group of all Windows Computers that are NOT a member of another group

OpsMgr: How to create a group of all Windows Computers that are NOT a member of another group

  • Comments 21
  • Likes

This is a pretty common request, and I have been meaning to write up an example of this.

Suppose you have the following scenario:  You are monitoring 1000 Windows Server with OpsMgr.  In your management group, you have 100 servers that are Test/Dev machines, and you have 900 that are production.  You need a simple way to treat these servers differently, for overrides, and creating notifications or incidents, or even scoping your views.  You want to ensure that you don’t send critical pages, emails, or create incidents on these lab/test/dev machines.

The challenge is – our notifications, views, and overrides don’t have the ability to have an “exclude” function… to say “show me everything except alerts from these machines”

 

I will start by creating a group using the UI, for my Lab Computers group, based on OU.  This could be based on static membership, or anything else.

 

image

image

Verify that I have the right Lab Computer members in that group:

image

 

Now – we need to create a group – which contains ALL OTHER computers in SCOM, that are not part of the lab group:

 

image

 

The only criteria we will define here, is that this will contain all Windows Computers.  (We will restrict the membership later in XML)

 

image

 

Save the group and verify it contains ALL Windows Computers. 

Save and export the management pack to XML.

Edit the XML file using notepad or your XML editor of choice.

 

Find the discovery for your Production Server Group.  If you used the UI to create the group, these will have a “UINameSpace<GUID>” name… so you will have to ensure you are choosing the right one by verifying this in the DisplayStrings section of the XML.

Here is what my default group discovery criteria looked like, for all Windows Computers:

 

      <Discovery ID="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group.DiscoveryRule" Enabled="true" Target="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group" ConfirmDelivery="false" Remotable="true" Priority="Normal">
        <Category>Discovery</Category>
        <DiscoveryTypes>
          <DiscoveryRelationship TypeID="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities" />
        </DiscoveryTypes>
        <DataSource ID="GroupPopulationDataSource" TypeID="SystemCenter!Microsoft.SystemCenter.GroupPopulator">
          <RuleId>$MPElement$</RuleId>
          <GroupInstanceId>$MPElement[Name="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group"]$</GroupInstanceId>
          <MembershipRules>
            <MembershipRule>
              <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]$</MonitoringClass>
              <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>
            </MembershipRule>
          </MembershipRules>
        </DataSource>
      </Discovery>

Right now – the expression just basically states that if the object is a Windows Computer, it belongs in the group.

We need to add an expression, which basically states “All Windows Computers that are NOT CONTAINED in the Lab Servers Group”.  The part that handles this is the <MembershipRule> section.

Here is an example expression that will create this filter:

                 <Expression>
                    <NotContained>
                        <MonitoringClass>$MPElement[Name="UINameSpacebff9e11464de491f9620271507a2aeb8.Group"]$</MonitoringClass>
                    </NotContained>
                 </Expression>

The key in the above expression is the <NotContained> tag.   You can use <Contains>, <NotContains>, <Contained>, and <NotContained> for similar expressions.

 

Now – the group class ID above just happens to be the group class ID in my management pack (for Lab Servers).  You will need to change this to your own group class ID, which is defined in this management pack above, in the <ClassTypes> section.

The full XML for this discovery would look like so:

      <Discovery ID="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group.DiscoveryRule" Enabled="true" Target="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group" ConfirmDelivery="false" Remotable="true" Priority="Normal">
        <Category>Discovery</Category>
        <DiscoveryTypes>
          <DiscoveryRelationship TypeID="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities" />
        </DiscoveryTypes>
        <DataSource ID="GroupPopulationDataSource" TypeID="SystemCenter!Microsoft.SystemCenter.GroupPopulator">
          <RuleId>$MPElement$</RuleId>
          <GroupInstanceId>$MPElement[Name="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group"]$</GroupInstanceId>
          <MembershipRules>
            <MembershipRule>
              <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]$</MonitoringClass>
              <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>
                 <Expression>
                    <NotContained>
                        <MonitoringClass>$MPElement[Name="UINameSpacebff9e11464de491f9620271507a2aeb8.Group"]$</MonitoringClass>
                    </NotContained>
                 </Expression>
            </MembershipRule>
          </MembershipRules>
        </DataSource>
      </Discovery>

 

You can save this MP edit, then import your management pack.

You will now see that you have a group of all Windows Computers, except those that are members of the Lab Computers group:

 

Lab group:

image

Production group:

image

 

Since my lab group is dynamic based on OU, as servers are moved in or out of that OU, the Production group will also be dynamically updated.

 

I can now use my production group to scope and filter console views and user roles, filter notifications, and overrides.

Comments
  • Thanks for the enlightenment.  Worth the money in my wallet.

  • Thank you very much. Very appreciate !

  • Reakky Good one . Thanks

  • Nice one man!

  • Hello

    Should both groups be in the same MP? or two sealed MPs?

    Could it be because the All and Except Groups are customized? unsealed MPs?

    Thnaks,

    Dom

  •      <Discovery ID="UINameSpace4800d9bd07a84fefac35797e9f005312.Group.DiscoveryRule" Enabled="true" Target="UINameSpace4800d9bd07a84fefac35797e9f005312.Group" ConfirmDelivery="false" Remotable="true" Priority="Normal">

           <Category>Discovery</Category>

           <DiscoveryTypes>

             <DiscoveryRelationship TypeID="MicrosoftSystemCenterInstanceGroupLibrary6172210!Microsoft.SystemCenter.InstanceGroupContainsEntities" />

           </DiscoveryTypes>

           <DataSource ID="GroupPopulationDataSource" TypeID="SystemCenter!Microsoft.SystemCenter.GroupPopulator">

             <RuleId>$MPElement$</RuleId>

             <GroupInstanceId>$MPElement[Name="UINameSpace4800d9bd07a84fefac35797e9f005312.Group"]$</GroupInstanceId>

             <MembershipRules>

               <MembershipRule>

                 <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary6172210!Microsoft.Windows.Computer"]$</MonitoringClass>

                 <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary6172210!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>

    <Expression>

            <NotContained>

    <MonitoringClass>$MPElement[Name="UINameSpace4f6f1f5d9d2c4d6cb7d85260ff63cd8e.Group"]$</MonitoringClass>

            </NotContained>

    </Expression>

    </MembershipRule>

               <MembershipRule>

                 <MonitoringClass>$MPElement[Name="MicrosoftUnixLibrary617000273!Microsoft.Unix.Computer"]$</MonitoringClass>

                 <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary6172210!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>

    <Expression>

    <NotContained>

    <MonitoringClass>$MPElement[Name="UINameSpace3fe7d86445434da2bfd2606b07c296c5.Group"]$</MonitoringClass>

    </NotContained>

    </Expression>

    </MembershipRule>

             </MembershipRules>

           </DataSource>

         </Discovery>

  • if I have multiple exclusion how should I handle them?

    <Expression>

                   <NotContained>

                     <MonitoringClass>$MPElement[Name="UINameSpace3fe7d86445434da2bfd2606b07c296c5.Group"]$</MonitoringClass>

                     <MonitoringClass>$MPElement[Name="UINameSpacec879c5e395434c858796f9c10de541dd.Group"]$</MonitoringClass>

                   </NotContained>

    does not seem to work as the MP could not be imported anymore !!!

    Thanks,

    DOm

  • Hello,

    in progress... BUT!!! (:

    apparently Multiple expressions needs to be entered each of them as simple exp[ression and liked by the AND and OR logical operatos.

    <Expression>

          <And>

                 <Expression>

                <NotContained>

           <MonitoringClass>$MPElement[Name="UINameSpace3fe7d86445434da2bfd2606b07c296c5.Group"]$</MonitoringClass>

    </NotContained>

                 </Expression>

                 <Expression>

    <NotContained>

            <MonitoringClass>$MPElement[Name="UINameSpacec879c5e395434c858796f9c10de541dd.Group"]$</MonitoringClass>

    </NotContained>

                  </Expression>

             </And>

    </Expression>

    is accepted at the compilation and the import of the MP works ... but still no exclusion in the group!!!!

    Thanks,

    DOm

  • Hello,

    After 2 hours finally the exclusions are active ... why this long delay !!!!

    Thnaks,

    Dom

  • Hello,

    Now trying to add a second group as excluded!!!

    Apparently the <And></And> do not compile .... the import is failing !!!

    Thanks,

    Dom

  • Hello,

    Recreating the group from scratch trying to use blogs.technet.com/.../how-to-create-a-group-of-objects-that-are-contained-by-some-other-group.aspx to have multiple exclusions replacing "CONTAINED" by <NOTCONTAINED> using the <AND></AND>...

    Thanks,

    DOm

  • Hello,

    Trying again to make the exclusions on Multiple Groups...

    <MembershipRules>

               <MembershipRule>

                 <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary6172210!Microsoft.Windows.Computer"]$</MonitoringClass>

                 <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary6172210!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>

                 <Expression>

    <And>

     <Expression>

        <NotContained>

             <MonitoringClass>$MPElement[Name="UINameSpacec879c5e395434c858796f9c10de541dd.Group"]$</MonitoringClass>

        </NotContained>

     </Expression>

     <Expression>

        <NotContained>

              <MonitoringClass>$MPElement[Name="UINameSpace3fe7d86445434da2bfd2606b07c296c5.Group"]$</MonitoringClass>

          </NotContained>

     </Expression>

    </And>

                 </Expression>

               </MembershipRule>

             </MembershipRules>

           </DataSource>

    Still nothing after 1 hour ...

    Waiting ...

    Thanks,

    Dom

  • Is this process any different that using the Excluded Objects feature from the Excluded Members tab ?  Also, this is still a group of computer objects only so how would I, for example, trigger a notification via subscription for the "Health Service Heartbeat Failure" monitor in the "Health Service Watcher" target ?  I find that while that alert triggers and shows in the console, I can NOT get it to notify via subscription when the subscription's criteria uses "raised by any instance in a specific group" and that group holds only computer objects.

  • Import fails after modification of xml as suggessted on SCOM 2012. Getting following error:

    Error 1:

    Found error in 1|CGCriticalOverrideGroup|1.0.0.0|UINameSpaced02104559e1b41928eb522990fc37ad9.Group.DiscoveryRule/GroupPopulationDataSource|| with message:

    The configuration specified for Module GroupPopulationDataSource is not valid.

    : Cannot find specified MPElement UINameSpacee83aa59e51884c9c9adf45bda79f5a2a.Group in expression: $MPElement[Name="UINameSpacee83aa59e51884c9c9adf45bda79f5a2a.Group"]$

    Cannot find ManagementPackElement [Type=ManagementPackElement, ID=UINameSpacee83aa59e51884c9c9adf45bda79f5a2a.Group] in management pack ManagementPack:[Name=CGCriticalOverrideGroup, KeyToken=, Version=1.0.0.0].

    -------------------------------------------------------

  • Ijaz's error will occur if the group you are trying to delete is a member of a parent group. Take it out of the parent group and you will not get the error.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Search Blogs