+14Hi..
When we can someone, or they quit, their AD account gets moved to an OU called "Terminated Accounts"
To get a better handle on inventory, we'd like to create a smart group that contains any users currently in the JSS whose AD accounts now reside in that OU.
Anyone got any ideas????
You could do a little AD scripting and set the position field in AD to say "Terminated" for all of the employees in this OU. The JSS will let you create a smart group based on a users's position.
Ok, I will try and help you with this one.
First you will need to run a script that will reside on your JSS server, or to be correct, your mysql server. What you will have to do is some creative scripting here.
You will want to make sure this server is bound to the ad or this wont work.
#!/bin/bash
#
#Casper Active Directory User Group Membership Query
#
#
#Variables
mysql_client_path='/usr/local/mysql/bin/mysql'
mysql_database='jamfsoftware'
mysql_host='localhost'
xmlUpdateEAAdmin="<?xml version="1.0" encoding="ISO-8859-1" ?>
<computer>
<extension_attributes>
<attribute>
<name>MacAdmin</name>
<value>Admin</value>
</attribute>
</extension_attributes>
</computer>"
xmlUpdateEANonAdmin="<?xml version="1.0" encoding="ISO-8859-1" ?>
<computer>
<extension_attributes>
<attribute>
<name>MacAdmin</name>
<value>Not Admin</value>
</attribute>
</extension_attributes>
</computer>"
# Warning: Using a password on the command line interface is insecure.
# It is much safer to specify these in mysql.cnf than to hard code them into a script.
mysql_user='username'
mysql_pass='password'
jssUser=Username
jssPass=Password
jssHost=https://localhost:8443/
#Functions
#This will curl a response up to JSS based on the information that is passed to it.
UpdateCasperExtAttribAdmin()
{
theJSSresponse=$( /usr/bin/curl
--header "Content-Type: text/xml; charset=utf-8"
--data "${xmlUpdateEAAdmin}"
--request PUT
--connect-timeout 5
--max-time 10
--user ${jssUser}:${jssPass}
--insecure
${jssHost}JSSResource/computers/"id"/$1 2> /dev/null )
}
UpdateCasperExtAttribNonAdmin(){
theJSSresponse=$( /usr/bin/curl
--header "Content-Type: text/xml; charset=utf-8"
--data "${xmlUpdateEANonAdmin}"
--request PUT
--connect-timeout 5
--max-time 10
--user ${jssUser}:${jssPass}
--insecure
${jssHost}JSSResource/computers/"id"/$1 2> /dev/null )
}
# Beginning of Procedure
#SQL Query to pull computer ID's
getSQL='select computer_id from computers_denormalized group by computer_id;'
sqlData=$( $mysql_client_path -h$mysql_host -D$mysql_database -u$mysql_user -p$mysql_pass -e "$getSQL" 2< /dev/null)
#Convert Return of SQL Query Into Array
ComputerID=($sqlData)
read -a ComputerID <<<$sqlData
#Process each ID
for ID in "${ComputerID[@]}"; do
#Remove First Line "computer_id"
if [ $ID == "computer_id" ]
then
continue
else
#Pull User based on computer ID
userSQL='select username from computers_denormalized where computer_id='$ID';'
username=$( $mysql_client_path -h$mysql_host -D$mysql_database -u$mysql_user -p$mysql_pass -e "$userSQL" 2< /dev/null)
userName=`Echo $username | awk '{print $2}'`
#Check user membership with AD
membership=`dscl /Active Directory/BFI/All Domains -read /Users/$userName 2> /dev/null | grep "NonMacAdmins"`
if [ -z "$membership" ]
then
#Forward to function to update casper
continue
else
#Forward to function to update casper
UpdateCasperExtAttribNonAdmin $ID
# UpdateCasperExtAttribNonAdmin $ID
fi
fi
done
#Check to make sure there was not an error when Querying SQL
if [[ $? -ne 0 ]]; then
echo "mysql error"
exit
fiNow this one is a little different. This one checks by Security Group, but can changed to do OU's no problem. Let me know if this works out for you.
+14Thank you both for responding...
I figured it out
currUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )
OU=$( dscl "/Active Directory/XX/All Domains" read /Users/$currUser dsAttrTypeNative:distinguishedName | awk -F"OU" '{ print $1,$2,$3 }' | sed -e 's/CN=//g;s/,$//g;1d' )
echo "<result>$OU</result>"Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.