How to collect LDAP (AD) user status?

Sounds like you want to do this from the JSS? Yes?

Generally, your devices do all the heavy lifting such as mounting server volumes, creating an inventory report and even performing LDAP lookups. The JSS is rather passive and simply stores information until it's needed by a device. You're in a catch-22 if you want this from a device because the user won't be able to authenticate and communicate with AD once his account is disabled.

What's happening to the device in the meantime? Who's holding it? A manager? As part of the HR off boarding process, computer equipment should be returned to an IT representative.

If you're missing devices, you can create a Smart Group to email you when a device hasn't phoned home to the JSS in X number of days. That's usually what I recommend for alerting about missing devices.

Thanks, talkingmoose
Yes, the thought was to collect the data via the JSS.

I think I'm not understanding something though...

"Generally, your devices do all the heavy lifting such as mounting server volumes, creating an inventory report and even performing LDAP lookups."

OK- I almost understand that, but the device is doing the LDAP lookup? Really? Is this something within the JAMF framework doing the LDAP lookup?
I guess I was thinking that when an inventory is triggered, the inventory data, including the user name, is sent to the JSS and the JSS is actually doing the LDAP lookup to see if it can find a match. If a match is found then the JSS updates the user data; no match, no user data.

"The JSS is rather passive and simply stores information until it's needed by a device."
Got it.

"What's happening to the device in the meantime? Who's holding it? A manager? As part of the HR off boarding process, computer equipment should be returned to an IT representative."
That's part of the problem. We (the IT support staff) may not have been told the user has left. As in never told. Sometime we find out from the user, sometimes from the users manager or lab admin. Sometimes we just never know until someone comes along and happens to let us know. We -never- find out from HR.
The device -may- have gone to another user but could still be using the same user account, or gone with the recently departed user, or it's simply turned off and sitting on a desk.
Unfortunately we do not have a lot of domain bound Macs, nor a standard login format, so user login names are not very helpful. We have to stay on top of it in the JSS, so it's a bit of a management headache, but we expected that. We are encouraging the use of the self enroll process which captures the LDAP user name during login, so that helps a lot.

We have a SMART group for devices with no inventory for 60 days, and then again 90 days or more. Once we've determine that the device has not reported in 90 days we start investigating. (We start at 60 days because we do have many users that travel to areas with very poor network coverage, and could easily go 60 days without reporting).

And since we don't have an off boarding process, there are no standards in place for how devices are handled when the user leaves. Lots of talk and ideas, but until we can get regular data about when a person leaves, then everything else is sort of secondary.

In one of our scripts, we also need to query the AD to know if a specific user is enabled or disabled in the AD.

Here a simple cooking recipe :

userAccountControl=ldapsearch -LLL -H ldap://$QUERY_DC -x -D $AD_USER -w $AD_PASSWORD -b "CN=your_ou,DC=your,DC=domain "sAMAccountName=$CURRENT_LOGGED_USER" userAccountControl | grep userAccountControl: | awk '{print $2}'

userAccountControl_binary=echo "obase=2;$userAccountControl" | bc

let "RESULT=$userAccountControl_binary & 00000010"

if [ $RESULT -eq 0 ] ; then echo User Active else echo User Disabled fi

Adjust the arguments, and you will obtain a delicious "AD user status" extended attribute. (basically you need to compare status of the 2nd least-significant bit of userAccountControl LDAP attribute)

@bentoms
Yes, that is what I was looking for essentially. I've mapped a new EA to the AD atrribute in quesiton. Seems to be providing what I was looking for.

@ Olivier
Thanks for that. This may be a better solution. I'll take a look and see what I need to change.

In either case, our biggest challenge is that very few of our Macs are bound to AD, so we're relying heavily on the User Information being set in the JSS.

Thanks All!

Hello.

I mentioned the wrong person in my post, sorry.

I am very interested in your script @Olivier Can you show us/me what your cleaned up EA looks like.

I put this into one and have worked to clean it up a little. I am not getting results on the user acct control attribute for enabled and disabled.

Enabled is usually 512 and disabled is 514.

If I am off base here just let me know.

Thank you for your work on this,
Dom