OpsMgr: How to create a group of all Windows Computers that are NOT a member of another group


This is a pretty common request, and I have been meaning to write up an example of this.

Suppose you have the following scenario:  You are monitoring 1000 Windows Server with OpsMgr.  In your management group, you have 100 servers that are Test/Dev machines, and you have 900 that are production.  You need a simple way to treat these servers differently, for overrides, and creating notifications or incidents, or even scoping your views.  You want to ensure that you don’t send critical pages, emails, or create incidents on these lab/test/dev machines.

The challenge is – our notifications, views, and overrides don’t have the ability to have an “exclude” function… to say “show me everything except alerts from these machines”

 

I will start by creating a group using the UI, for my Lab Computers group, based on OU.  This could be based on static membership, or anything else.

 

image

image

Verify that I have the right Lab Computer members in that group:

image

 

Now – we need to create a group – which contains ALL OTHER computers in SCOM, that are not part of the lab group:

 

image

 

The only criteria we will define here, is that this will contain all Windows Computers.  (We will restrict the membership later in XML)

 

image

 

Save the group and verify it contains ALL Windows Computers. 

Save and export the management pack to XML.

Edit the XML file using notepad or your XML editor of choice.

 

Find the discovery for your Production Server Group.  If you used the UI to create the group, these will have a “UINameSpace<GUID>” name… so you will have to ensure you are choosing the right one by verifying this in the DisplayStrings section of the XML.

Here is what my default group discovery criteria looked like, for all Windows Computers:

 

      <Discovery ID="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group.DiscoveryRule" Enabled="true" Target="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group" ConfirmDelivery="false" Remotable="true" Priority="Normal">
        <Category>Discovery</Category>
        <DiscoveryTypes>
          <DiscoveryRelationship TypeID="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities" />
        </DiscoveryTypes>
        <DataSource ID="GroupPopulationDataSource" TypeID="SystemCenter!Microsoft.SystemCenter.GroupPopulator">
          <RuleId>$MPElement$</RuleId>
          <GroupInstanceId>$MPElement[Name="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group"]$</GroupInstanceId>
          <MembershipRules>
            <MembershipRule>
              <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]$</MonitoringClass>
              <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>
            </MembershipRule>
          </MembershipRules>
        </DataSource>
      </Discovery>

Right now – the expression just basically states that if the object is a Windows Computer, it belongs in the group.

We need to add an expression, which basically states “All Windows Computers that are NOT CONTAINED in the Lab Servers Group”.  The part that handles this is the <MembershipRule> section.

Here is an example expression that will create this filter:

                 <Expression>
                    <NotContained>
                        <MonitoringClass>$MPElement[Name="UINameSpacebff9e11464de491f9620271507a2aeb8.Group"]$</MonitoringClass>
                    </NotContained>
                 </Expression>

The key in the above expression is the <NotContained> tag.   You can use <Contains>, <NotContains>, <Contained>, and <NotContained> for similar expressions.

 

Now – the group class ID above just happens to be the group class ID in my management pack (for Lab Servers).  You will need to change this to your own group class ID, which is defined in this management pack above, in the <ClassTypes> section.

The full XML for this discovery would look like so:

      <Discovery ID="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group.DiscoveryRule" Enabled="true" Target="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group" ConfirmDelivery="false" Remotable="true" Priority="Normal">
        <Category>Discovery</Category>
        <DiscoveryTypes>
          <DiscoveryRelationship TypeID="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities" />
        </DiscoveryTypes>
        <DataSource ID="GroupPopulationDataSource" TypeID="SystemCenter!Microsoft.SystemCenter.GroupPopulator">
          <RuleId>$MPElement$</RuleId>
          <GroupInstanceId>$MPElement[Name="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group"]$</GroupInstanceId>
          <MembershipRules>
            <MembershipRule>
              <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]$</MonitoringClass>
              <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>
                 <Expression>
                    <NotContained>
                        <MonitoringClass>$MPElement[Name="UINameSpacebff9e11464de491f9620271507a2aeb8.Group"]$</MonitoringClass>
                    </NotContained>
                 </Expression>
            </MembershipRule>
          </MembershipRules>
        </DataSource>
      </Discovery>

 

You can save this MP edit, then import your management pack.

You will now see that you have a group of all Windows Computers, except those that are members of the Lab Computers group:

 

Lab group:

image

Production group:

image

 

Since my lab group is dynamic based on OU, as servers are moved in or out of that OU, the Production group will also be dynamically updated.

 

I can now use my production group to scope and filter console views and user roles, filter notifications, and overrides.


Comments (26)

  1. Anonymous says:

    Ijaz's error will occur if the group you are trying to delete is a member of a parent group. Take it out of the parent group and you will not get the error.

  2. Thanks for the enlightenment.  Worth the money in my wallet.

  3. Eric Bonin says:

    hi there,
    while it might be an old post, I just wanted to comment that in the wizard creation the last step is “Excluded members”.

    So to re-take the steps from the example:
    -create first the group with the lab computers, the group name is “Lab computers”
    -create the group with the production server, with all servers, “production servers group”
    -on the last steps, Excluded members, in the first field “Search for:” look for the name of the group to exclude, so “Lab computers”
    – clic “Search” with the filter empty
    -the previously created group should appear in the available items list with it’s UINameSpace ID
    -add it to the selected objects and you are done.

    I am not a big fan of editing the XML when I can do otherwise 🙂 but if you check the xml created that was should match the one made manually.

    Regards,
    Eric

  4. StDenis says:

    Thank you very much. Very appreciate !

  5. Ram Prasad says:

    Reakky Good one . Thanks

  6. Scott Moss says:

    Nice one man!

  7. Dominique says:

    Hello

    Should both groups be in the same MP? or two sealed MPs?

    Could it be because the All and Except Groups are customized? unsealed MPs?

    Thnaks,

    Dom

  8. Dominique says:

         <Discovery ID="UINameSpace4800d9bd07a84fefac35797e9f005312.Group.DiscoveryRule" Enabled="true" Target="UINameSpace4800d9bd07a84fefac35797e9f005312.Group" ConfirmDelivery="false" Remotable="true" Priority="Normal">

           <Category>Discovery</Category>

           <DiscoveryTypes>

             <DiscoveryRelationship TypeID="MicrosoftSystemCenterInstanceGroupLibrary6172210!Microsoft.SystemCenter.InstanceGroupContainsEntities" />

           </DiscoveryTypes>

           <DataSource ID="GroupPopulationDataSource" TypeID="SystemCenter!Microsoft.SystemCenter.GroupPopulator">

             <RuleId>$MPElement$</RuleId>

             <GroupInstanceId>$MPElement[Name="UINameSpace4800d9bd07a84fefac35797e9f005312.Group"]$</GroupInstanceId>

             <MembershipRules>

               <MembershipRule>

                 <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary6172210!Microsoft.Windows.Computer"]$</MonitoringClass>

                 <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary6172210!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>

    <Expression>

            <NotContained>

    <MonitoringClass>$MPElement[Name="UINameSpace4f6f1f5d9d2c4d6cb7d85260ff63cd8e.Group"]$</MonitoringClass>

            </NotContained>

    </Expression>

    </MembershipRule>

               <MembershipRule>

                 <MonitoringClass>$MPElement[Name="MicrosoftUnixLibrary617000273!Microsoft.Unix.Computer"]$</MonitoringClass>

                 <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary6172210!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>

    <Expression>

    <NotContained>

    <MonitoringClass>$MPElement[Name="UINameSpace3fe7d86445434da2bfd2606b07c296c5.Group"]$</MonitoringClass>

    </NotContained>

    </Expression>

    </MembershipRule>

             </MembershipRules>

           </DataSource>

         </Discovery>

  9. Dominique says:

    if I have multiple exclusion how should I handle them?

    <Expression>

                   <NotContained>

                     <MonitoringClass>$MPElement[Name="UINameSpace3fe7d86445434da2bfd2606b07c296c5.Group"]$</MonitoringClass>

                     <MonitoringClass>$MPElement[Name="UINameSpacec879c5e395434c858796f9c10de541dd.Group"]$</MonitoringClass>

                   </NotContained>

    does not seem to work as the MP could not be imported anymore !!!

    Thanks,

    DOm

  10. Dominique says:

    Hello,

    in progress… BUT!!! (:

    apparently Multiple expressions needs to be entered each of them as simple exp[ression and liked by the AND and OR logical operatos.

    <Expression>

          <And>

                 <Expression>

                <NotContained>

           <MonitoringClass>$MPElement[Name="UINameSpace3fe7d86445434da2bfd2606b07c296c5.Group"]$</MonitoringClass>

    </NotContained>

                 </Expression>

                 <Expression>

    <NotContained>

            <MonitoringClass>$MPElement[Name="UINameSpacec879c5e395434c858796f9c10de541dd.Group"]$</MonitoringClass>

    </NotContained>

                  </Expression>

             </And>

    </Expression>

    is accepted at the compilation and the import of the MP works … but still no exclusion in the group!!!!

    Thanks,

    DOm

  11. Dominique says:

    Hello,

    After 2 hours finally the exclusions are active … why this long delay !!!!

    Thnaks,

    Dom

  12. Dominique says:

    Hello,

    Now trying to add a second group as excluded!!!

    Apparently the <And></And> do not compile …. the import is failing !!!

    Thanks,

    Dom

  13. Dominique says:

    Hello,

    Recreating the group from scratch trying to use blogs.technet.com/…/how-to-create-a-group-of-objects-that-are-contained-by-some-other-group.aspx to have multiple exclusions replacing "CONTAINED" by <NOTCONTAINED> using the <AND></AND>…

    Thanks,

    DOm

  14. Dominique says:

    Hello,

    Trying again to make the exclusions on Multiple Groups…

    <MembershipRules>

               <MembershipRule>

                 <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary6172210!Microsoft.Windows.Computer"]$</MonitoringClass>

                 <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary6172210!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>

                 <Expression>

    <And>

     <Expression>

        <NotContained>

             <MonitoringClass>$MPElement[Name="UINameSpacec879c5e395434c858796f9c10de541dd.Group"]$</MonitoringClass>

        </NotContained>

     </Expression>

     <Expression>

        <NotContained>

              <MonitoringClass>$MPElement[Name="UINameSpace3fe7d86445434da2bfd2606b07c296c5.Group"]$</MonitoringClass>

          </NotContained>

     </Expression>

    </And>

                 </Expression>

               </MembershipRule>

             </MembershipRules>

           </DataSource>

    Still nothing after 1 hour …

    Waiting …

    Thanks,

    Dom

  15. Robert says:

    Is this process any different that using the Excluded Objects feature from the Excluded Members tab ?  Also, this is still a group of computer objects only so how would I, for example, trigger a notification via subscription for the "Health Service Heartbeat Failure" monitor in the "Health Service Watcher" target ?  I find that while that alert triggers and shows in the console, I can NOT get it to notify via subscription when the subscription's criteria uses "raised by any instance in a specific group" and that group holds only computer objects.

  16. Ijaz Kazi says:

    Import fails after modification of xml as suggessted on SCOM 2012. Getting following error:

    Error 1:

    Found error in 1|CGCriticalOverrideGroup|1.0.0.0|UINameSpaced02104559e1b41928eb522990fc37ad9.Group.DiscoveryRule/GroupPopulationDataSource|| with message:

    The configuration specified for Module GroupPopulationDataSource is not valid.

    : Cannot find specified MPElement UINameSpacee83aa59e51884c9c9adf45bda79f5a2a.Group in expression: $MPElement[Name="UINameSpacee83aa59e51884c9c9adf45bda79f5a2a.Group"]$

    Cannot find ManagementPackElement [Type=ManagementPackElement, ID=UINameSpacee83aa59e51884c9c9adf45bda79f5a2a.Group] in management pack ManagementPack:[Name=CGCriticalOverrideGroup, KeyToken=, Version=1.0.0.0].

    ——————————————————-

  17. new2scom says:

    Hi Kevin, geat post.  Just a query – can this dynamic membership model based on AD OU's be used in conjuction with your post on the SQL MP RunAs accounts configuration.  I'm looking at Scenario 5 which is the more complex version where we have a mix of Internally maintained SQL and 3rd Party maintained.  Our SQL dba is primaritly interested in the internal ones (which are in a specific OU) and therefor I was going to base a Runas account around that group membership and then possibly configure a secont SQL RunAs for the 3rd party manged SQL which will likely have different SQL security/hardening aplied.  So If I can target a group which is based on OU menbership this will be very useful.  Anh advice much appreciated…Cheers…

  18. new2scom says:

    From above forgot to add – if it IS possible, then does the distribution still need to be manually refreshed (and associated profiles) as the OU membership will be chnaging over time as new SQL servers come in and old are decommissioned?…

  19. Dan Sheehan says:

    I am struggling with how to implement this in our enviornment and am hoping you can help.

    My team uses a shared SCOM enviornment where we have two servers groups, stored in the same custom management pack, that are used for different alerting purposes. One group is for 7×24 alerting where we want to get paged at all hours of the night for those servers, and the other group is for non-7×24 alerting where we only want alerts during certain times of the day. The caveat is that we only want specific servers in our 7×24 group and are trying to use a combination of dynamic membership AND computers not in the non-7×24 group.

    Here is our syntax:

             <MembershipRules>

               <MembershipRule>

                 <MonitoringClass>$MPElement[Name="A304a3f11ff204a26baf2d8c642711598!System.Entity"]$</MonitoringClass>

                 <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>

                 <Expression>

                   <And>

                     <Expression>

                       <NotContained>

                         <MonitoringClass>$MPElement[Name="UINameSpace090f65ab906f41188efc4d71f59ac31c.Group"]$</MonitoringClass>

                       </NotContained>

                     </Expression>

                     <Expression>

                       <Or>

                         <Expression>

                           <RegExExpression>

                             <ValueExpression>

                               <Property>$MPElement[Name="A304a3f11ff204a26baf2d8c642711598!System.Entity"]/DisplayName$</Property>

                             </ValueExpression>

                             <Operator>ContainsSubstring</Operator>

                             <Pattern>SRVSITE1</Pattern>

                           </RegExExpression>

                         </Expression>

                         <Expression>

                           <RegExExpression>

                             <ValueExpression>

                               <Property>$MPElement[Name="A304a3f11ff204a26baf2d8c642711598!System.Entity"]/DisplayName$</Property>

                             </ValueExpression>

                             <Operator>ContainsSubstring</Operator>

                             <Pattern>SRVSITE9</Pattern>

                           </RegExExpression>

                         </Expression>

                       </Or>

                     </Expression>

                   </And>

                 </Expression>

               </MembershipRule>

             </MembershipRules>

  20. Dan Sheehan says:

    The names above have been genercised to show that we only want certain servers in the 7×24 group, even if they are not in the non-7×24 group, and not all servers in our enviornment. I thought the syntax of "not in the group" AND "any one of these OR conditions" would work but even after an hour+ the 7×24 group shows 0 members. When I reimport the old management pack it goes back to showing all of the servers the way it did previously.

    I think either you can't do what I am trying to do, I shouldn't be storing both groups in the same management pack, or I am not using the syntax correctly. Can you please let me know what you think we should to get this working?

  21. Scott Babcock says:

    In response to Dan above. You should have both groups in the same management pack for this to work. When using a group for exclusion (non 7×24) you must make sure that you are using the OR group instead of the AND group function. Looking at your management
    pack XML that you posted it seems that the NotContained expression is in the wrong spot. I put together a full write up on using 7×24 and non 7×24 to

    exclude a group of objects from another group of objects

  22. Anonymous says:

    Pingback from Microsoft Exchange Server 2013 discovery. « JAMA00

  23. Zach says:

    Hi Kevin, I know this is an old post, but I was able to successfully implement this. I want to add another group to the “NotContained” but keep getting failures when adding another UIName. Do you have any tips for me to add another UIName?

    Thanks

  24. Philip says:

    @Eric Bonin – I was struggling to exclude with XML mod and had no issues doing via the GUI option you highlighted. Thanks!

  25. John H Moe says:

    I struggled with the XML for a multi-group exclude; I tried both "and" and "or" exclusion groups, and I was still getting the entire server list, not the filtered list I was expecting. Finally I read through the comments to see if there was anything useful,
    and found Eric Bonin’s comment above. Using the GUI as he described, I got it working instantly. If this is a new feature (this post was originally written in 2012), perhaps a note to this effect could be edited into the top of the blog post so future visitors
    don’t go through the same pain?

  26. khalid khan says:

    Hi
    i have an issue i newly installed SCOM 2012 .when i am checking default group for Servers “Windows servers computer group ” its members also contains windows 7 PC’S.

Skip to main content