[Casper] Computer group from AD
Ryan Harter
rharter at uwsp.edu
Wed Jan 14 13:43:14 PST 2009
I've written a script that will check for specific group membership in
AD. This should get you started scoping to AD groups if you need to.
The workflow is as follows:
1. This script runs as a daily policy on all machines.
2. The gmark_SCLBaculaClient202 trigger that this fires off installs
an empty package called gmark_SCLBaculaClient202.dmg
3. A smart group is scoped to the package receipt of the
gmark_SCLBaculaClient202.dmg, allowing me to scope policies to
computers in that group.
I have to say thanks to Miles A. Leacy for the header ;) And
hopefully some future release of Casper will have the ability to pull
groups from AD. I already submitted it as a feature req.
#!/bin/bash
##### HEADER BEGINS #####
# gmark_checkSCLBaculaClients2.0.2.bash
#
# Created 14012009 by Ryan Harter
# ryan at ryanharter.com
# Copyright 2009 Ryan Harter
#
# This script may be copied and distributed freely as long as this
header remains intact.
#
# This script is provided "as is". The author offers no warranty or
guarantee of any kind.
# Use of this script is at your own risk. The author takes no
responsibility for loss of data
# or damage that may result from use of this script.
#
# It is intended to be run as part of a Casper policy triggered by
login.
#
# Note: This script will need to be modified to fit your environment.
This is how it works
# for me, but is provided as a template.
#
##### HEADER ENDS #####
# Standard error redirect and UWSP logging function
exec 2> >(logger -p local7.error)
function log {
syslog -s -k Facility local7 Level Info Message "$1"
}
# Environment Specific Variables - You need to change these.
LDAPURI=ldap.uwsp.edu
BASEOU="ou=uwsp workstations,dc=uwsp,dc=edu"
HOSTNAME=`hostname | awk -F"." '{print $1}'`
ADGROUP="SCL Bacula Client 2.0.2"
# Trigger for Casper Policy
TRIGGER=gmark_SCLBaculaClient202
### Below this line shouldn't need to be modified
log "Searching for $ADGROUP membership for $HOSTNAME."
ldapsearch -Q -H ldap://$LDAPURI -b "$BASEOU" -u "(cn=$HOSTNAME)"
memberOf | grep "$ADGROUP"
if [ $? -eq 0 ];then
log "$HOSTNAME is a member of the $ADGROUP group. Installing
dummy package..."
# Run the policy to install the dummy package.
jamf policy -trigger "$TRIGGER"
# Updates inventory so the smart group gets updated
jamf recon
fi
exit 0
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu
On Jan 12, 2009, at 9:38 AM, Ryan Harter wrote:
> I'd like to update everyone on this issue. Jamf has replied to my
> emails saying that this is actually possible. What you need to do is:
>
> 1. Set up a new LDAP server (even if you have one for users) and
> scope it to computers.
> 2. Click "Text Server" and make sure you can see the groups,
> computers, and computer's group membership.
> 3. The groups from AD should now appear in the "Static Computer
> Groups" section with their source being "Active Directory".
>
> That is what Jamf says should be happening, however, I've gotten
> through setup two and they still don't show up in Groups. It could
> be an environment specific problem, but I'll let you know how to get
> it working when I figure it out.
>
> Ryan Harter
> UW - Stevens Point
> Workstation Developer
> 715.346.2716
> Ryan.Harter at uwsp.edu
>
> On Jan 9, 2009, at 2:50 PM, Miles Leacy wrote:
>
>> I'm a big fan of smart groups based on dummy receipts.
>>
>> To break it down (as I would do it, at least):
>>
>> Run the initial policy on all machines (once per day, limited to
>> off-hours if there would be any performance concerns). This policy
>> does:
>> - run script that checks AD groups.
>> - if desired group is found, issue a custom trigger of "receipt
>> exists".
>> - if desired group is not found, issue a custom trigger of "receipt
>> does not exist".
>>
>> The "receipt exists" custom trigger policy does:
>> - Install the dummy package
>>
>> The "receipt does not exist" custom trigger policy does:
>> - delete the dummy package's receipt
>>
>> Smart group is scoped to the existence of the dummy receipt.
>>
>> You can now scope to your smart group knowing that it consists of
>> all members of your target AD group, with up to a 24-hour lag
>> behind changes in group membership. If 24 hours is too big of a
>> window, you could set it to every15 (or 30 or whatever your
>> periodic trigger is) and execution frequency of "ongoing". This is
>> pretty lightweight, so I don't think there's any cause for
>> performance concerns.
>>
>> ----------
>> Miles A. Leacy IV
>>
>> Certified System Administrator 10.4
>> Certified Technical Coordinator 10.5
>> Certified Trainer
>> Certified Casper Administrator
>> ----------
>> voice: 1-347-277-7321
>> miles.leacy at themacadmin.com
>> www.themacadmin.com
>>
>>
>>
>>
>> On Fri, Jan 9, 2009 at 3:22 PM, Ryan Harter <rharter at uwsp.edu> wrote:
>> This sounds like a good workaround. I have emailed JAMF about this
>> too, but haven't heard anything. I'm sure they're all off at
>> MacWorld:)
>>
>> I was hoping for a solution that I could make a computer group with
>> so that I could only run it on the computers that need it and not
>> on every computer just for the 20% that actually need the client.
>>
>> There is also talk of "leasing" CS3 licenses to departments on
>> campus, in which case I would like to have self service only
>> advertise the install on the computers that are in the CS3Licensed
>> AD group. I may do this by having us add the users to a group as
>> well and scope it that way temporarily, but the ultimate goal is to
>> have it available for department machines, not users.
>>
>> I was thinking of some sort of logic like:
>>
>> 1. run a policy that will check dscl for the group memberships of
>> the computer.
>> 2. install a dummy package.
>> 3. base a smart group on the receipt of the dummy package.
>> 4. scope the policies to the smart group
>>
>> That way, I can not only run the policy just for the group, but
>> also keep a record of who's in it. It's not a very elegant
>> solution, but it may have to do.
>>
>> Ryan Harter
>> UW - Stevens Point
>> Workstation Developer
>> 715.346.2716
>> Ryan.Harter at uwsp.edu
>>
>> On Jan 9, 2009, at 1:35 PM, Miles Leacy wrote:
>>
>>> "Bound to a directory" and "Member of a group" are different
>>> concepts.
>>>
>>> I would also like the ability to recognize computer accounts and
>>> computer groups.
>>>
>>> You could work around the current situation with a script using
>>> logic like so:
>>>
>>> 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your
>>> machine names are the same as your AD names) belongs to.
>>> 2. grep the output for the group you want to key on.
>>> 3. call a custom trigger
>>>
>>> The ability for Casper to recognize computer accounts & groups
>>> would be better than this, but this can give you the same net
>>> effect as scoping a policy to an AD group. This also assumes you
>>> have the ability to perform LDAP lookups in AD. If your JSS is
>>> taking advantage of LDAP, then you could use the same account to
>>> perform the lookup in the script.
>>>
>>> ----------
>>> Miles A. Leacy IV
>>>
>>> Certified System Administrator 10.4
>>> Certified Technical Coordinator 10.5
>>> Certified Trainer
>>> Certified Casper Administrator
>>> ----------
>>> voice: 1-347-277-7321
>>> miles.leacy at themacadmin.com
>>> www.themacadmin.com
>>>
>>>
>>>
>>>
>>> 2009/1/9 Nichols, Jared <jared.nichols at ll.mit.edu>
>>> Wouldn't you just create a smart computer group that goes off of
>>> the Active Directory Status attribute? You could either make it
>>> "Active Directory Status" is <<name of AD>> (if you have more than
>>> one and you want to specify which) or you could make "Active
>>> Directory Status" is not "Not Bound" It's a double negative, but
>>> that would return any machine bound to an AD, no matter what the
>>> AD is called.
>>>
>>> See Attachment.
>>>
>>> Maybe I don't understand completely your question?
>>>
>>> j
>>>
>>>
>>> On 1/9/09 12:57 , "Ernst, Craig S." <ERNSTCS at uwec.edu> wrote:
>>>
>>> Don't believe the JSS works with computer accounts in AD.
>>>
>>> Craig E
>>>
>>>
>>> On 1/9/09 11:56 AM, "Ryan Harter" <rharter at uwsp.edu> wrote:
>>>
>>> Hey Guys-
>>>
>>> Has anyone created a smart group that would take members based on
>>> if the computer is a member of an AD group.
>>>
>>> Essentially what I'm trying to do is scope a policy to a group of
>>> computers in AD, like you can with the User scope, but it doesn't
>>> seem to work with computers.
>>>
>>> When user's register for our disaster recovery system, their
>>> computer is added to a group in AD, and I would like to install
>>> the backup client on their machine based on whether or not they
>>> are in this group. Any ideas?
>>>
>>>
>>> Ryan Harter
>>> UW - Stevens Point
>>> Workstation Developer
>>> 715.346.2716
>>> Ryan.Harter at uwsp.edu <mailto:Ryan.Harter at uwsp.edu>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Jared Nichols
>>> ISD Infrastructure and Operations – Desktop Engineering
>>> MIT Lincoln Laboratory
>>> 244 Wood St.
>>> Lexington, MA 02420-9108
>>> (781) 981-5500
>>>
>>> _______________________________________________
>>> Casper mailing list
>>> Casper at list.jamfsoftware.com
>>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>>
>>>
>>
>>
>
> <ATT00001.txt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090114/c1fbccba/attachment.htm
More information about the Casper
mailing list