- Jamf Nation Community
- Products
- Jamf Pro
- Scope to Computer in AD group?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Scope to Computer in AD group?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-09-2013 06:31 AM
Out of the box you can scope a policy to USERS in an AD group.
Does anyone know of a way to scope a policy to a computer that is a part of an Active Directory Group or OU?
I have the pleasure of being in a Windows-Dominated Alteris-Driven infrastructure- so i have to try to shoe-horn all our macs into that system. Right now when someone requests a piece of software, that computer is added into an AD group so they know that computer has rights to install that software and can be pushed. They want me to leverage that same protocol to install software on Macs.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-09-2013 06:42 AM
Create a smart group
under OS Configuration Information add a new field and choose "Active Directory Status" and is equal to the AD it should be bound to.
that should give you something to start with.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-09-2013 09:53 AM
This got me curious, as we have the same setup for Windows systems. I imagine you'll probably need to make an Extension Attribute with something like this in it:
#!/bin/sh
computer=`dsconfigad -show | grep 'Computer Account' | awk '{ print $4 }'`
domain=`dscl localhost read /Active Directory | grep PrimaryNTDomain | awk ' { print $2 }'`
realm=`dscl localhost read /Active Directory | grep KerberosRealm | awk ' { print $2 }'`
dscl /Active Directory/$domain/$realm read /Computers/$computer dsAttrTypeNative:memberOfHaven't tested this out, and I'm not sure how extension attributes will work with multiple lines, but I'm interested to know if it works.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-09-2013 11:39 AM
We do this in our environment for AD User groups. Our EA is below:
#!/bin/sh
currUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )
Groups=$( dscl /Active Directory/<DOMAIN>/All Domains read /Users/$currUser dsAttrTypeNative:memberOf | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' )
echo "<result>$Groups</result>"
This should work as an EA for Computer Groups:
#!/bin/sh
currComputer=$( dsconfigad -show | grep 'Computer Account' | awk '{print $4 }' )
Groups=$( dscl /Active Directory/<DOMAIN>/All Domains read /Computers/$currComputer dsAttrTypeNative:memberOf | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' )
echo "<result>$Groups</result>"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-20-2013 11:38 PM
I'm trying to apply this to my setup, but it seems to be failing because I'm not getting a "dsAttrTypeNative:memberOf" attribute? It's definitely bound to the domain, and I'm logged in with AD credentials. Have I missed something?
Below is my complete output (with some important stuff edited):
MA34490:Desktop redzik aaron$ dscl /Active Directory/DOMAIN/All Domains read /Computers/ma34490$
dsAttrTypeNative:accountExpires: 9223372036854775807
dsAttrTypeNative:badPasswordTime: 0
dsAttrTypeNative:badPwdCount: 0
dsAttrTypeNative:codePage: 0
dsAttrTypeNative:countryCode: 0
dsAttrTypeNative:distinguishedName:
CN=ma34490,OU=Macs,OU=Workstations & Servers,DC=domain,DC=org,DC=au
dsAttrTypeNative:dSCorePropagationData: 20121128034515.0Z 16010101000001.0Z
dsAttrTypeNative:instanceType: 4
dsAttrTypeNative:isCriticalSystemObject: FALSE
dsAttrTypeNative:lastLogonTimestamp: 130129442364285393
dsAttrTypeNative:localPolicyFlags: 0
dsAttrTypeNative:logonCount: 220
dsAttrTypeNative:name: ma34490
dsAttrTypeNative:networkAddress: 111.222.333.444
dsAttrTypeNative:objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=org,DC=au
dsAttrTypeNative:objectClass: top person organizationalPerson user computer
dsAttrTypeNative:objectGUID:
759a4a4f f731834c a562bdca 6b3564d4
dsAttrTypeNative:objectSid:
01050000 00000005 15000000 af204d03 4038e654 ca6fd544 5f240100
dsAttrTypeNative:operatingSystem:
Mac OS X
dsAttrTypeNative:operatingSystemVersion: 10.8.2
dsAttrTypeNative:sAMAccountType: 805306369
dsAttrTypeNative:userAccountControl: 4096
dsAttrTypeNative:uSNChanged: 356717153
dsAttrTypeNative:uSNCreated: 244687452
dsAttrTypeNative:whenChanged: 20130515220251.0Z
dsAttrTypeNative:whenCreated: 20121128034307.0Z
AppleMetaNodeLocation:
/Active Directory/DOMAIN/domain.org.au
AppleMetaRecordName:
CN=ma34490,OU=Macs,OU=Workstations & Servers,DC=domain,DC=org,DC=au
DNSName: ma34490.domain.org.au
GeneratedUID: 4F4A9A75-31F7-4C83-A562-BDCA6B3564D4
RealName: ma34490
RecordName: ma34490$
RecordType: dsRecTypeStandard:Computers
SMBGroupRID: 515
SMBLogoffTime: 0
SMBLogonTime: 130135748768051594
SMBPasswordLastSet: 130131289631486707
SMBSID: S-1-5-21-55555555-5555555555-5555555555-55555
UniqueID: 1330289269
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-21-2013 12:06 PM
Aaron,
Find some groups that you know some of your Macs are members of and look up the records for those machines. Whatever dsAttrTypes they show up in are most likely something you can look for.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2014 11:54 PM
Hi Adam,
Did you manage to scope to computers in an AD group?
