AD/Centrify and Inventory

Its been a while since I've used it, but I know that Centrify has some command line tools to get information from a system about its AD status, possibly the OU its in, etc.

I also remember that Centrify's documentation on this was incredibly weak. Took me forever just to find some docs on how these tools worked. That may have changed though. I would look into this as a start though. Almost sure there are ways to get this information using a script in an Extension Attribute.

I'm trying to get some kind of group info like OU or GID.

Starting from version 5.x Centrify's got this cool tool called adedit which provides ways to get AD information from *nix and Mac OS X machine. Command to retrieve Zone related AD information is quite different from that of just AD objects. You need to be more specific about what information you want to get.

Ideally I'd like to be able to retrieve OU information and gather that in the inventory.

Not currently available via adinfo, to my knowledge. You can get your current zone, but that could certainly transcend OUs.

adquery might give you some of the info you are looking for.

For the primary and unix groups for a user
adquery user --adgroups <usernamehere>

For the Active Directory groups for a user
adquery user --adgroups <usernamehere>

I'm not sure how to get the AD OU that the Mac is joined to.

It took Centrify Support 26 minutes to respond with this which works for me.

You can use the adquery command to actually query the computer object as well.
So if for example a Mac with the hostname "test-mac" is located in the OU "/Testing OU/Mac Computers/", then the command:

adquery user -C test-mac

Will return the canonical name: domain.com/Testing OU/Mac Computers/test-mac

Alternatively, you can also query for the distinguished name as well:

adquery user -D test-mac

Returns: CN=test-mac,OU=Mac Computers,OU=Testing OU,DC=domain,DC=com

Makes sense, as computer objects are users. Good for that support rep (as the one I got didn't come up with that).