I have several packages where I deploy them with smart labels based on some computer information and this works excellent because my packages deploy when new computers come on line without my intervention. 

I have a new package where I only want to deploy it to laptops if the logged on user is a member of a certain AD Group.  The package is Symantec DLO.  One of its features is you can install it on a computer and when a user that is in a selected AD group logs on it will backup their documents and settings in their profile to a server.

I do not want to just blast this down to all the laptops becasue one of the issues with the agent is it will give you a prompt telling you that you are not on the backup list if you are not a member of the group.  I would like to keep that to a minimum.

I was thinking that I could use an LDAP label for the user information, however I understand that the label does not apply to the user until they log into the K1000.  Ideally I hope that a user never has to log onto the K1000 because they would have no issues because I want everything 100% automated and that is the issue.  I cannot deploy the software automatically unless the user logs onto the K1000 at least 1 time after they become a member of the AD group I am filtering on.

Is there some other way I can label the computer with maybe a custom inventory rule or something that does not require to log on so I can detect if the user is a member of a AD Group?

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

0

Only LDAP User labels depend on the user logging into the KBOX. LDAP Device labels are applied when devices check in, and you can create an LDAP filter that will cause it to include only machines that have members of a specific AD group logged in. Here is an example of a filter we use to do just that:

(&(sAMAccountName=KBOX_USERNAME)(memberOf=CN=Group Name,OU=Groups,DC=mydomain,DC=com))

The way that works is, when the machine checks in, the KBOX_USERNAME variable is replaced with the user that is currently logged into the PC. If the filter returns any records, the machine is added to the label. When building the LDAP label, you have the option to test it. Be sure to replace KBOX_USERNAME with an actual user name when testing.

Answered 07/07/2014 by: BHC-Austin
Fourth Degree Black Belt

Please log in to comment
Answer this question or Comment on this question for clarity

Share