[Casper] Computer group from AD

Ryan Harter rharter at uwsp.edu
Mon Jan 12 07:38:55 PST 2009 

I'd like to update everyone on this issue.  Jamf has replied to my  
emails saying that this is actually possible.  What you need to do is:

1. Set up a new LDAP server (even if you have one for users) and scope  
it to computers.
2. Click "Text Server" and make sure you can see the groups,  
computers, and computer's group membership.
3. The groups from AD should now appear in the "Static Computer  
Groups" section with their source being "Active Directory".

That is what Jamf says should be happening, however, I've gotten  
through setup two and they still don't show up in Groups.  It could be  
an environment specific problem, but I'll let you know how to get it  
working when I figure it out.

Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu

On Jan 9, 2009, at 2:50 PM, Miles Leacy wrote:

> I'm a big fan of smart groups based on dummy receipts.
>
> To break it down (as I would do it, at least):
>
> Run the initial policy on all machines (once per day, limited to off- 
> hours if there would be any performance concerns).  This policy does:
> - run script that checks AD groups.
> - if desired group is found, issue a custom trigger of "receipt  
> exists".
> - if desired group is not found, issue a custom trigger of "receipt  
> does not exist".
>
> The "receipt exists" custom trigger policy does:
> - Install the dummy package
>
> The "receipt does not exist" custom trigger policy does:
> - delete the dummy package's receipt
>
> Smart group is scoped to the existence of the dummy receipt.
>
> You can now scope to your smart group knowing that it consists of  
> all members of your target AD group, with up to a 24-hour lag behind  
> changes in group membership.  If 24 hours is too big of a window,  
> you could set it to every15 (or 30 or whatever your periodic trigger  
> is) and execution frequency of "ongoing".  This is pretty  
> lightweight, so I don't think there's any cause for performance  
> concerns.
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com
>
>
>
>
> On Fri, Jan 9, 2009 at 3:22 PM, Ryan Harter <rharter at uwsp.edu> wrote:
> This sounds like a good workaround.  I have emailed JAMF about this  
> too, but haven't heard anything.  I'm sure they're all off at  
> MacWorld:)
>
> I was hoping for a solution that I could make a computer group with  
> so that I could only run it on the computers that need it and not on  
> every computer just for the 20% that actually need the client.
>
> There is also talk of "leasing" CS3 licenses to departments on  
> campus, in which case I would like to have self service only  
> advertise the install on the computers that are in the CS3Licensed  
> AD group.  I may do this by having us add the users to a group as  
> well and scope it that way temporarily, but the ultimate goal is to  
> have it available for department machines, not users.
>
> I was thinking of some sort of logic like:
>
> 1. run a policy that will check dscl for the group memberships of  
> the computer.
> 2. install a dummy package.
> 3. base a smart group on the receipt of the dummy package.
> 4. scope the policies to the smart group
>
> That way, I can not only run the policy just for the group, but also  
> keep a record of who's in it.  It's not a very elegant solution, but  
> it may have to do.
>
> Ryan Harter
> UW - Stevens Point
> Workstation Developer
> 715.346.2716
> Ryan.Harter at uwsp.edu
>
> On Jan 9, 2009, at 1:35 PM, Miles Leacy wrote:
>
>> "Bound to a directory" and "Member of a group" are different  
>> concepts.
>>
>> I would also like the ability to recognize computer accounts and  
>> computer groups.
>>
>> You could work around the current situation with a script using  
>> logic like so:
>>
>> 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your  
>> machine names are the same as your AD names) belongs to.
>> 2. grep the output for the group you want to key on.
>> 3. call a custom trigger
>>
>> The ability for Casper to recognize computer accounts & groups  
>> would be better than this, but this can give you the same net  
>> effect as scoping a policy to an AD group.  This also assumes you  
>> have the ability to perform LDAP lookups in AD.  If your JSS is  
>> taking advantage of LDAP, then you could use the same account to  
>> perform the lookup in the script.
>>
>> ----------
>> Miles A. Leacy IV
>>
>>  Certified System Administrator 10.4
>>  Certified Technical Coordinator 10.5
>>  Certified Trainer
>> Certified Casper Administrator
>> ----------
>> voice: 1-347-277-7321
>> miles.leacy at themacadmin.com
>> www.themacadmin.com
>>
>>
>>
>>
>> 2009/1/9 Nichols, Jared <jared.nichols at ll.mit.edu>
>> Wouldn't you just create a smart computer group that goes off of  
>> the Active Directory Status attribute?  You could either make it  
>> "Active Directory Status" is <<name of AD>> (if you have more than  
>> one and you want to specify which) or you could make "Active  
>> Directory Status" is not "Not Bound"  It's a double negative, but  
>> that would return any machine bound to an AD, no matter what the AD  
>> is called.
>>
>> See Attachment.
>>
>> Maybe I don't understand completely your question?
>>
>> j
>>
>>
>> On 1/9/09 12:57 , "Ernst, Craig S." <ERNSTCS at uwec.edu> wrote:
>>
>> Don't believe the JSS works with computer accounts in AD.
>>
>> Craig E
>>
>>
>> On 1/9/09 11:56 AM, "Ryan Harter" <rharter at uwsp.edu> wrote:
>>
>> Hey Guys-
>>
>> Has anyone created a smart group that would take members based on  
>> if the computer is a member of an AD group.
>>
>> Essentially what I'm trying to do is scope a policy to a group of  
>> computers in AD, like you can with the User scope, but it doesn't  
>> seem to work with computers.
>>
>> When user's register for our disaster recovery system, their  
>> computer is added to a group in AD, and I would like to install the  
>> backup client on their machine based on whether or not they are in  
>> this group.  Any ideas?
>>
>>
>> Ryan Harter
>> UW - Stevens Point
>> Workstation Developer
>> 715.346.2716
>> Ryan.Harter at uwsp.edu <mailto:Ryan.Harter at uwsp.edu>
>>
>>
>>
>>
>>
>> -- 
>> Jared Nichols
>> ISD Infrastructure and Operations – Desktop Engineering
>> MIT Lincoln Laboratory
>> 244 Wood St.
>> Lexington, MA 02420-9108
>> (781) 981-5500
>>
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com
>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/77970a09/attachment.htm

More information about the Casper mailing list