[Casper] Computer group from AD
Ryan Harter
rharter at uwsp.edu
Fri Jan 9 12:58:02 PST 2009
Ideally I would like to create a smart group based on AD group
membership. The reason for this is that this is a cross platform
venture. For the backup system I was talking about, users register
themselves at a web page that then adds them to a Bacula group in AD.
On the PC side group policy will then install the client on their
system because they have been added to that group. As it stands on
the mac side when someone registers for the service we have to
manually install the client.
As for the CS3 installs, when their department "leases" a license
they're computers will just be added to an AD group (presumably
automated by a website, hasn't been implemented yet) and the PC guys
will use that group membership to advertise the install with SCCM. I
would like the Mac side to be just as automated, once the website puts
their computer in the AD group, the install will be advertised.
I think for the Bacula client install, the best solution would be to
have a smart group based on the AD group, and then a run once per
computer policy to install the client. For CS3, a self service
install scoped to a smart group based on the AD group, which you can
already do with users, but with computers, so that when the computer
is added, the install will be advertised.
Before Casper we used AD group membership extensively to define which
scripts were run, and what maintenance tasks were performed. The
groups help us determine whether machines are labs, faculty, which
particular faculty, and anything special about each (i.e. registered
for backups).
Our network isn't segmented well enough to use segments (we have a lab
and facstaff vlan for each building and that is all).
The major goal of this is to automate all of these processes. We all
know that Mac admins have a lot to do and adding every individual user
who decides to sign up for something is not high on my list:)
What would also be cool is a documented way to tie into the JSS with a
web page (perhaps PHP) so that I could make a web page where people
could sign up for something, get all the information I need and send
some pieces to the JSS and some to other systems. Perhaps there's a
way to do this. I hadn't thought of it before but boy does that sound
cool.
Thanks for all the input. I really think mailing lists are a great
way of narrowing down the best way to do something based on what other
people have done.
Thanks again.
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu
On Jan 9, 2009, at 2:28 PM, Ernst, Craig S. wrote:
> So you don’t want to use the tools for Groups or Smart Groups in
> the JSS? Or do you have options to limit based on network segments?
> If you know the machines that need it...create a group in the JSS
> and assign accordingly. I’m not sure how you name machines, or
> assign them in terms of department and what not in the JSS, but
> that’s why those options are there.
>
> I’m not really sure why the desire to use AD...
>
> I only ask because we don’t use AD on the Macs for anything but
> authentication, thus all of our Macs are in a single container in
> AD. What do you use the groups in AD for Macs for?
>
> And to be clear...I’m not saying what your trying to do is wrong or
> unnecessary...I just am trying to better understand what you are
> trying to do and perhaps learn something.
>
> Craig E
>
>
> On 1/9/09 2:22 PM, "Ryan Harter" <rharter at uwsp.edu> wrote:
>
> This sounds like a good workaround. I have emailed JAMF about this
> too, but haven't heard anything. I'm sure they're all off at
> MacWorld:)
>
> I was hoping for a solution that I could make a computer group with
> so that I could only run it on the computers that need it and not on
> every computer just for the 20% that actually need the client.
>
> There is also talk of "leasing" CS3 licenses to departments on
> campus, in which case I would like to have self service only
> advertise the install on the computers that are in the CS3Licensed
> AD group. I may do this by having us add the users to a group as
> well and scope it that way temporarily, but the ultimate goal is to
> have it available for department machines, not users.
>
> I was thinking of some sort of logic like:
>
> 1. run a policy that will check dscl for the group memberships of
> the computer.
> 2. install a dummy package.
> 3. base a smart group on the receipt of the dummy package.
> 4. scope the policies to the smart group
>
> That way, I can not only run the policy just for the group, but also
> keep a record of who's in it. It's not a very elegant solution, but
> it may have to do.
>
>
> Ryan Harter
> UW - Stevens Point
> Workstation Developer
> 715.346.2716
> Ryan.Harter at uwsp.edu <mailto:Ryan.Harter at uwsp.edu>
>
>
> On Jan 9, 2009, at 1:35 PM, Miles Leacy wrote:
>
> "Bound to a directory" and "Member of a group" are different concepts.
>
> I would also like the ability to recognize computer accounts and
> computer groups.
>
> You could work around the current situation with a script using
> logic like so:
>
>
> 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your
> machine names are the same as your AD names) belongs to.
> 2. grep the output for the group you want to key on.
>
> 3. call a custom trigger
>
> The ability for Casper to recognize computer accounts & groups would
> be better than this, but this can give you the same net effect as
> scoping a policy to an AD group. This also assumes you have the
> ability to perform LDAP lookups in AD. If your JSS is taking
> advantage of LDAP, then you could use the same account to perform
> the lookup in the script.
>
> ----------
> Miles A. Leacy IV
>
> Certified System Administrator 10.4
> Certified Technical Coordinator 10.5
> Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com <http://www.themacadmin.com>
>
>
>
>
> 2009/1/9 Nichols, Jared <jared.nichols at ll.mit.edu>
>
> Wouldn't you just create a smart computer group that goes off of
> the Active Directory Status attribute? You could either make it
> "Active Directory Status" is <<name of AD>> (if you have more than
> one and you want to specify which) or you could make "Active
> Directory Status" is not "Not Bound" It's a double negative, but
> that would return any machine bound to an AD, no matter what the AD
> is called.
>
> See Attachment.
>
> Maybe I don't understand completely your question?
>
> j
>
>
> On 1/9/09 12:57 , "Ernst, Craig S." <ERNSTCS at uwec.edu <http://ERNSTCS@uwec.edu
> > > wrote:
>
>
> Don't believe the JSS works with computer accounts in AD.
>
> Craig E
>
>
> On 1/9/09 11:56 AM, "Ryan Harter" <rharter at uwsp.edu <http://rharter@uwsp.edu
> > > wrote:
>
>
> Hey Guys-
>
> Has anyone created a smart group that would take members based on
> if the computer is a member of an AD group.
>
> Essentially what I'm trying to do is scope a policy to a group of
> computers in AD, like you can with the User scope, but it doesn't
> seem to work with computers.
>
> When user's register for our disaster recovery system, their
> computer is added to a group in AD, and I would like to install the
> backup client on their machine based on whether or not they are in
> this group. Any ideas?
>
>
> Ryan Harter
> UW - Stevens Point
> Workstation Developer
> 715.346.2716
> Ryan.Harter at uwsp.edu <http://Ryan.Harter@uwsp.edu> <mailto:Ryan.Harter at uwsp.edu
> >
>
>
>
>
>
>
>
> --
> Jared Nichols
> ISD Infrastructure and Operations – Desktop Engineering
> MIT Lincoln Laboratory
> 244 Wood St.
> Lexington, MA 02420-9108
> (781) 981-5500
>
>
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/d3d94c5c/attachment.html
More information about the Casper
mailing list