Jamf Nation Community

JAMF_noob · ‎01-12-2015

I am looking for a way to create a smart computer group based on AD group membership.

Example: I want to create a smart computer group called Help Desk that contains the computers for my Help Desk team. I would like the group to reference the AD group "Help Desk", match the AD usernames with what is in the JSS, and populate the group accordingly.

Is this possible?

alexjdale · ‎01-12-2015

Edit: Rewrote this post since I now understand you want to look up users.

Yes, with a native AD plugin bind, you can query the current user and get a list of AD groups they are a member of. From there, you simply match the group you are checking for (grep or whatever) and if it's present, return a "true" for an extension attribute and scope the smart group against that.

dscl '/Active Directory/$DOMAIN/All Domains' -read /Users/$USERNAME dsAttrTypeNative:memberOf

will return all of $USERNAME's group memberships.

JAMF_noob · ‎01-13-2015

@ alexjdale

Thanks for the feedback. I understand how to do this from the terminal using dscl, but how would I go about creating a smart computer group with that string?

davidacland · ‎01-13-2015

I would probably use dseditgroup to check the membership as part of an extension attribute:

#!/bin/sh

checkMember=`dseditgroup -o checkmember -m username groupname | grep -c "Yes"`

if [ $checkMember -eq 1 ]; then
echo "<result>Yes</result>"
else
echo "<result>no</result>"
fi

Then you can create a smart group based on the result.

Not sure if I'm overcomplicating it but you might need to do an API call to get the current user from the user and location part of the inventory record to use in the dseditgroup command.

Jamf Nation Community

Smart Computer Group - AD Membership