[Casper] Computer group from AD

Ryan Harter rharter at uwsp.edu
Fri Jan 9 14:27:42 PST 2009 

 From Jamf:

> What you will want to do is log on to the JSS, go to Admin, and add  
> the LDAP server again, only scope it to computers rather than  
> Users.  That should give you the ability to scope to the AD groups.


That seems to work for getting computer and group records, but I  
haven't found yet how to scope a policy to that group, the JSS just  
seems to return Casper groups.  I'll let you know when I find this out.

Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu

On Jan 9, 2009, at 2:50 PM, Miles Leacy wrote:

> I'm a big fan of smart groups based on dummy receipts.
>
> To break it down (as I would do it, at least):
>
> Run the initial policy on all machines (once per day, limited to off- 
> hours if there would be any performance concerns).  This policy does:
> - run script that checks AD groups.
> - if desired group is found, issue a custom trigger of "receipt  
> exists".
> - if desired group is not found, issue a custom trigger of "receipt  
> does not exist".
>
> The "receipt exists" custom trigger policy does:
> - Install the dummy package
>
> The "receipt does not exist" custom trigger policy does:
> - delete the dummy package's receipt
>
> Smart group is scoped to the existence of the dummy receipt.
>
> You can now scope to your smart group knowing that it consists of  
> all members of your target AD group, with up to a 24-hour lag behind  
> changes in group membership.  If 24 hours is too big of a window,  
> you could set it to every15 (or 30 or whatever your periodic trigger  
> is) and execution frequency of "ongoing".  This is pretty  
> lightweight, so I don't think there's any cause for performance  
> concerns.
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com
>
>
>
>
> On Fri, Jan 9, 2009 at 3:22 PM, Ryan Harter <rharter at uwsp.edu> wrote:
> This sounds like a good workaround.  I have emailed JAMF about this  
> too, but haven't heard anything.  I'm sure they're all off at  
> MacWorld:)
>
> I was hoping for a solution that I could make a computer group with  
> so that I could only run it on the computers that need it and not on  
> every computer just for the 20% that actually need the client.
>
> There is also talk of "leasing" CS3 licenses to departments on  
> campus, in which case I would like to have self service only  
> advertise the install on the computers that are in the CS3Licensed  
> AD group.  I may do this by having us add the users to a group as  
> well and scope it that way temporarily, but the ultimate goal is to  
> have it available for department machines, not users.
>
> I was thinking of some sort of logic like:
>
> 1. run a policy that will check dscl for the group memberships of  
> the computer.
> 2. install a dummy package.
> 3. base a smart group on the receipt of the dummy package.
> 4. scope the policies to the smart group
>
> That way, I can not only run the policy just for the group, but also  
> keep a record of who's in it.  It's not a very elegant solution, but  
> it may have to do.
>
> Ryan Harter
> UW - Stevens Point
> Workstation Developer
> 715.346.2716
> Ryan.Harter at uwsp.edu
>
> On Jan 9, 2009, at 1:35 PM, Miles Leacy wrote:
>
>> "Bound to a directory" and "Member of a group" are different  
>> concepts.
>>
>> I would also like the ability to recognize computer accounts and  
>> computer groups.
>>
>> You could work around the current situation with a script using  
>> logic like so:
>>
>> 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your  
>> machine names are the same as your AD names) belongs to.
>> 2. grep the output for the group you want to key on.
>> 3. call a custom trigger
>>
>> The ability for Casper to recognize computer accounts & groups  
>> would be better than this, but this can give you the same net  
>> effect as scoping a policy to an AD group.  This also assumes you  
>> have the ability to perform LDAP lookups in AD.  If your JSS is  
>> taking advantage of LDAP, then you could use the same account to  
>> perform the lookup in the script.
>>
>> ----------
>> Miles A. Leacy IV
>>
>>  Certified System Administrator 10.4
>>  Certified Technical Coordinator 10.5
>>  Certified Trainer
>> Certified Casper Administrator
>> ----------
>> voice: 1-347-277-7321
>> miles.leacy at themacadmin.com
>> www.themacadmin.com
>>
>>
>>
>>
>> 2009/1/9 Nichols, Jared <jared.nichols at ll.mit.edu>
>> Wouldn't you just create a smart computer group that goes off of  
>> the Active Directory Status attribute?  You could either make it  
>> "Active Directory Status" is <<name of AD>> (if you have more than  
>> one and you want to specify which) or you could make "Active  
>> Directory Status" is not "Not Bound"  It's a double negative, but  
>> that would return any machine bound to an AD, no matter what the AD  
>> is called.
>>
>> See Attachment.
>>
>> Maybe I don't understand completely your question?
>>
>> j
>>
>>
>> On 1/9/09 12:57 , "Ernst, Craig S." <ERNSTCS at uwec.edu> wrote:
>>
>> Don't believe the JSS works with computer accounts in AD.
>>
>> Craig E
>>
>>
>> On 1/9/09 11:56 AM, "Ryan Harter" <rharter at uwsp.edu> wrote:
>>
>> Hey Guys-
>>
>> Has anyone created a smart group that would take members based on  
>> if the computer is a member of an AD group.
>>
>> Essentially what I'm trying to do is scope a policy to a group of  
>> computers in AD, like you can with the User scope, but it doesn't  
>> seem to work with computers.
>>
>> When user's register for our disaster recovery system, their  
>> computer is added to a group in AD, and I would like to install the  
>> backup client on their machine based on whether or not they are in  
>> this group.  Any ideas?
>>
>>
>> Ryan Harter
>> UW - Stevens Point
>> Workstation Developer
>> 715.346.2716
>> Ryan.Harter at uwsp.edu <mailto:Ryan.Harter at uwsp.edu>
>>
>>
>>
>>
>>
>> -- 
>> Jared Nichols
>> ISD Infrastructure and Operations – Desktop Engineering
>> MIT Lincoln Laboratory
>> 244 Wood St.
>> Lexington, MA 02420-9108
>> (781) 981-5500
>>
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com
>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/a918787c/attachment.html

More information about the Casper mailing list