[Casper] Computer group from AD

Fri Jan 9 12:50:13 PST 2009

I'm a big fan of smart groups based on dummy receipts.
To break it down (as I would do it, at least):

Run the initial policy on all machines (once per day, limited to off-hours
if there would be any performance concerns).  This policy does:
- run script that checks AD groups.
- if desired group is found, issue a custom trigger of "receipt exists".
- if desired group is not found, issue a custom trigger of "receipt does not
exist".

The "receipt exists" custom trigger policy does:
- Install the dummy package

The "receipt does not exist" custom trigger policy does:
- delete the dummy package's receipt

Smart group is scoped to the existence of the dummy receipt.

You can now scope to your smart group knowing that it consists of all
members of your target AD group, with up to a 24-hour lag behind changes in
group membership.  If 24 hours is too big of a window, you could set it to
every15 (or 30 or whatever your periodic trigger is) and execution frequency
of "ongoing".  This is pretty lightweight, so I don't think there's any
cause for performance concerns.

----------
Miles A. Leacy IV

 Certified System Administrator 10.4
 Certified Technical Coordinator 10.5
 Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

On Fri, Jan 9, 2009 at 3:22 PM, Ryan Harter <rharter at uwsp.edu> wrote:

> This sounds like a good workaround.  I have emailed JAMF about this too,
> but haven't heard anything.  I'm sure they're all off at MacWorld:)
> I was hoping for a solution that I could make a computer group with so that
> I could only run it on the computers that need it and not on every computer
> just for the 20% that actually need the client.
>
> There is also talk of "leasing" CS3 licenses to departments on campus, in
> which case I would like to have self service only advertise the install on
> the computers that are in the CS3Licensed AD group.  I may do this by having
> us add the users to a group as well and scope it that way temporarily, but
> the ultimate goal is to have it available for department machines, not
> users.
>
> I was thinking of some sort of logic like:
>
> 1. run a policy that will check dscl for the group memberships of the
> computer.
> 2. install a dummy package.
> 3. base a smart group on the receipt of the dummy package.
> 4. scope the policies to the smart group
>
> That way, I can not only run the policy just for the group, but also keep a
> record of who's in it.  It's not a very elegant solution, but it may have to
> do.
> *
> Ryan Harter*
> UW - Stevens Point
> Workstation Developer
> 715.346.2716
> Ryan.Harter at uwsp.edu
>
> On Jan 9, 2009, at 1:35 PM, Miles Leacy wrote:
>
> "Bound to a directory" and "Member of a group" are different concepts.
> I would also like the ability to recognize computer accounts and computer
> groups.
>
> You could work around the current situation with a script using logic like
> so:
>
> 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your machine
> names are the same as your AD names) belongs to.
> 2. grep the output for the group you want to key on.
> 3. call a custom trigger
>
> The ability for Casper to recognize computer accounts & groups would be
> better than this, but this can give you the same net effect as scoping a
> policy to an AD group.  This also assumes you have the ability to perform
> LDAP lookups in AD.  If your JSS is taking advantage of LDAP, then you could
> use the same account to perform the lookup in the script.
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com
>
>
>
>
> 2009/1/9 Nichols, Jared <jared.nichols at ll.mit.edu>
>
>>  Wouldn't you just create a smart computer group that goes off of the
>> Active Directory Status attribute?  You could either make it "Active
>> Directory Status" is <<name of AD>> (if you have more than one and you want
>> to specify which) or you could make "Active Directory Status" is not "Not
>> Bound"  It's a double negative, but that would return any machine bound to
>> an AD, no matter what the AD is called.
>>
>> See Attachment.
>>
>> Maybe I don't understand completely your question?
>>
>> j
>>
>>
>> On 1/9/09 12:57 , "Ernst, Craig S." <ERNSTCS at uwec.edu> wrote:
>>
>> Don't believe the JSS works with computer accounts in AD.
>>
>> Craig E
>>
>>
>> On 1/9/09 11:56 AM, "Ryan Harter" <rharter at uwsp.edu> wrote:
>>
>> Hey Guys-
>>
>> Has anyone created a smart group that would take members based on if the
>> computer is a member of an AD group.
>>
>> Essentially what I'm trying to do is scope a policy to a group of
>> computers in AD, like you can with the User scope, but it doesn't seem to
>> work with computers.
>>
>> When user's register for our disaster recovery system, their computer is
>> added to a group in AD, and I would like to install the backup client on
>> their machine based on whether or not they are in this group.  Any ideas?
>>
>> *
>> Ryan Harter
>> *UW - Stevens Point
>> Workstation Developer
>> 715.346.2716
>> Ryan.Harter at uwsp.edu <mailto:Ryan.Harter at uwsp.edu <Ryan.Harter at uwsp.edu>>
>>
>>
>>
>>
>>
>>
>> --
>> Jared Nichols
>> ISD Infrastructure and Operations – Desktop Engineering
>> MIT Lincoln Laboratory
>> 244 Wood St.
>> Lexington, MA 02420-9108
>> (781) 981-5500
>>
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com
>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/f0fb756f/attachment.htm 