Help

Create a Policy Scoped to Users AD group??

kerouak
Valued Contributor

Posted on ‎01-28-2016 07:49 AM

I'd like to create a policy that runs at login and Scopes thus: which queries whether the user exists in a specific AD group, Then Applies the policy??

A smart group based on this would be good..

Anyone?

0 Kudos
7 REPLIES 7

iJake
Valued Contributor

Posted on ‎01-28-2016 07:53 AM

To limit a policy to an AD group you have to set it to login or logout like you mentioned and then you'll find LDAP group options under Limitations of the policy scoping. You can't create a smart group based on AD groups without creating your own extension attribute to collect it locally on the machine.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎01-28-2016 08:00 AM

@kerouak If your JSS is tied to an LDAP/AD server and can do queries successfully against it, this is possible. The only triggers that allow you to use LDAP users or groups as scope (actually under Limitations) are "login", "logout" and "Self Service" to my knowledge. If at least one of those triggers are set, when you go into the scope section, click on Limitations and you should see LDAP/Local Users and LDAP Groups as tab selections. Search for and add the Users and/or groups you want.
You still need to set an actual computer scope under Targets however. Generally speaking, you can set the Scope to All Computers and then set the LDAP limitations appropriately. You could of course also use a Smart Group as the general target scope as you mentioned. This will make sure the policy will only run on the Macs that fall under the limitations and are part of the scope.

0 Kudos

kerouak
Valued Contributor

Posted on ‎01-28-2016 09:46 AM

The policy should be limited to 1 AD group is what I'm after, sorry for vagueness..

0 Kudos

kerouak
Valued Contributor

Posted on ‎01-29-2016 01:15 AM

You know something.. I realised as soon as this was posted ... I knew it was under ;limitations;' however, I didn't set it for login..
Thanks gents!!!

0 Kudos

kerouak
Valued Contributor

Posted on ‎01-29-2016 03:56 AM

OH Dear...
I've set everything, Scoped to 'All computers, Limitations: LDAP User Group

When I view the logs, It only shows 47 Entries, there should be 1000, Also, The logs are listing individual Computer Names, Rather than usernames...
Am I missing something??
Granted, I had a few beers last nite..

Anyone?

0 Kudos

kerouak
Valued Contributor

Posted on ‎01-29-2016 03:57 AM

I'm after only running a specific script for Users who reside within a specific AD Group???
Not, A limited number of Enrolled devices?/

ta

0 Kudos

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎01-29-2016 04:09 AM

HI,

The scoping is correct (all computers, limited to LDAP group). When Casper triggers the policy, it checks the computer is in scope, then checks the user is a member of the LDAP group.

If its not working as expected, I'd look at the LDAP group membership area first. On your LDAP settings, test the group your trying to limit and check a bunch of users that should / shouldn't be in the group.

The computer scoping of a policy is fairly solid in Casper but I have had issues with LDAP scope, search base etc in group membership lookups before.

0 Kudos