MEMBER_OF Configuration Group Operator


The information in this article applies to:


  • Prism Suite
  • Policy Commander  


The MEMBER _OF operator for SmartUpdate™ configuration groups can be used to automatically group computers that are members of a particular security group in Active Directory.



When using the MEMBER_OF operator in a configuration group, the left-hand side of the ruleset is the name of a computer or user, and the right-hand side is the name of the security group.  Computers polling the Prism Channel will automatically join the MEMBER_OF group if the computer (or logged-in user) is a member of the security group.  Polling computers that are not members of the security group will not join the configuration group.


There are two supported syntaxes for user or computer names: canonical and domain.


1) Canonical

This is the Active Directory representation given by Prism’s existing ComputerADName and UserADName variables. For example, to use canonical syntax to find the computers where Active Directory schema admins are logged in, you would create a ruleset with this syntax:


UserADName MEMBER_OF “MyCompany.local/Users/Schema Admins”


The left-hand side of the ruleset can also be a computer in cases where that would be applicable. Here’s an example of that syntax:


          ComputerADName MEMBER_OF "MyCompany.local/Computers/Sales Computers"


2) Domain

Domain syntax can be used in NT, Active Directory or mixed environments, and the left-hand side is always a user and never a computer.  Prism’s DomainUserName variable is used in the left-hand side of the ruleset.  DomainUserName combines the current domain with the current user.  When a domain user is logged in, the value resolves to “domain\user.”  When a local user is logged in it resolves to simply “user.”  When the local user is one of the predefined accounts, it resolves to “BUILTIN\user,” with “BUILTIN\SYSTEM” being the account when the client is running unattended.


To find the computers where schema admins are logged in, you would use this syntax:

DomainUserName MEMBER_OF “MyDomain\Schema Admins” –or-

DomainUserName MEMBER_OF “Schema Admins@MyDomain”


To find computers where local admins are logged in, you would use the following syntax. (Remember, the Domain Administrators group is a member of the local Administrators group):

DomainUserName MEMBER_OF “Administrators”




  • The MEMBER_OF operator does not see "domain local" groups when using the DomainUserName variable in the left-hand side of the ruleset. It only sees the groups marked "global" or "universal."  You can work around this by using either UserADName or ComputerADName.
  • You can't mix and match the syntax.  Both the left- and right-hand sides must both use either canonical or domain syntax.
  • If there is a syntax error in the ruleset, computers will not join the group.
  • The new operator is for the purpose of helping to determine group membership, not organizational unit (OU) membership.  You can use the existing "MATCHES" clause to figure out whether a computer or user or belongs to a particular OU or not.