Menu Close

OpsMgr: How to create a group of all Windows Computers that are NOT a member of another group

This is a pretty common request, and I have been meaning to write up an example of this.

Suppose you have the following scenario:  You are monitoring 1000 Windows Server with OpsMgr.  In your management group, you have 100 servers that are Test/Dev machines, and you have 900 that are production.  You need a simple way to treat these servers differently, for overrides, and creating notifications or incidents, or even scoping your views.  You want to ensure that you don’t send critical pages, emails, or create incidents on these lab/test/dev machines.

The challenge is – our notifications, views, and overrides don’t have the ability to have an “exclude” function… to say “show me everything except alerts from these machines”

 

I will start by creating a group using the UI, for my Lab Computers group, based on OU.  This could be based on static membership, or anything else.

 

image

image

Verify that I have the right Lab Computer members in that group:

image

 

Now – we need to create a group – which contains ALL OTHER computers in SCOM, that are not part of the lab group:

 

image

 

The only criteria we will define here, is that this will contain all Windows Computers.  (We will restrict the membership later in XML)

 

image

 

Save the group and verify it contains ALL Windows Computers.

Save and export the management pack to XML.

Edit the XML file using notepad or your XML editor of choice.

 

Find the discovery for your Production Server Group.  If you used the UI to create the group, these will have a “UINameSpace<GUID>” name… so you will have to ensure you are choosing the right one by verifying this in the DisplayStrings section of the XML.

Here is what my default group discovery criteria looked like, for all Windows Computers:

 

      <Discovery ID="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group.DiscoveryRule" Enabled="true" Target="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group" ConfirmDelivery="false" Remotable="true" Priority="Normal">
        <Category>Discovery</Category>
        <DiscoveryTypes>
          <DiscoveryRelationship TypeID="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities" />
        </DiscoveryTypes>
        <DataSource ID="GroupPopulationDataSource" TypeID="SystemCenter!Microsoft.SystemCenter.GroupPopulator">
          <RuleId>$MPElement$</RuleId>
          <GroupInstanceId>$MPElement[Name="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group"]$</GroupInstanceId>
          <MembershipRules>
            <MembershipRule>
              <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]$</MonitoringClass>
              <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>
            </MembershipRule>
          </MembershipRules>
        </DataSource>
      </Discovery>

Right now – the expression just basically states that if the object is a Windows Computer, it belongs in the group.

We need to add an expression, which basically states “All Windows Computers that are NOT CONTAINED in the Lab Servers Group”.  The part that handles this is the <MembershipRule> section.

Here is an example expression that will create this filter:

                 <Expression>
                    <NotContained>
                        <MonitoringClass>$MPElement[Name="UINameSpacebff9e11464de491f9620271507a2aeb8.Group"]$</MonitoringClass>
                    </NotContained>
                 </Expression>

The key in the above expression is the <NotContained> tag.   You can use <Contains>, <NotContains>, <Contained>, and <NotContained> for similar expressions.

 

Now – the group class ID above just happens to be the group class ID in my management pack (for Lab Servers).  You will need to change this to your own group class ID, which is defined in this management pack above, in the <ClassTypes> section.

The full XML for this discovery would look like so:

      <Discovery ID="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group.DiscoveryRule" Enabled="true" Target="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group" ConfirmDelivery="false" Remotable="true" Priority="Normal">
        <Category>Discovery</Category>
        <DiscoveryTypes>
          <DiscoveryRelationship TypeID="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities" />
        </DiscoveryTypes>
        <DataSource ID="GroupPopulationDataSource" TypeID="SystemCenter!Microsoft.SystemCenter.GroupPopulator">
          <RuleId>$MPElement$</RuleId>
          <GroupInstanceId>$MPElement[Name="UINameSpace1235cf5e76c84e458035a1c4ef8d73aa.Group"]$</GroupInstanceId>
          <MembershipRules>
            <MembershipRule>
              <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]$</MonitoringClass>
              <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>
                 <Expression>
                    <NotContained>
                        <MonitoringClass>$MPElement[Name="UINameSpacebff9e11464de491f9620271507a2aeb8.Group"]$</MonitoringClass>
                    </NotContained>
                 </Expression>
            </MembershipRule>
          </MembershipRules>
        </DataSource>
      </Discovery>

 

You can save this MP edit, then import your management pack.

You will now see that you have a group of all Windows Computers, except those that are members of the Lab Computers group:

 

Lab group:

image

Production group:

image

 

Since my lab group is dynamic based on OU, as servers are moved in or out of that OU, the Production group will also be dynamically updated.

 

I can now use my production group to scope and filter console views and user roles, filter notifications, and overrides.

Leave a Reply

Your email address will not be published. Required fields are marked *