/build/static/layout/Breadcrumb_cap_w.png

Device Smart Label based on User LDAP Group?

Hello,

I would like to create a smart label of all devices that are assigned to members of an Active Directory user group. Is there a way to create this type of smart label using the label wizard and/or SQL?

I've tried playing around with the wizard, but don't see any way to associate user labels into a device label.


1 Comment   [ + ] Show comment
  • I work in an industry that requires tight control over application deployments. I can't deploy applications to devices when a user logs in; I need be more specific than that. I need to assign managed installations to devices which are assigned to users based on the user being a member of a security group in AD, just like the original request. Here's an example:

    AD Security Group: "Chrome Deployment" contains the user John Doe
    KACE Managed Install: Chrome managed install is deployed on the devices assigned to John Doe.

    I had no idea this was going to be a huge undertaking. I've tried ondrar's method and managed to create an LDAP user label. I created an additional label and pasted in the provided SQL, while replacing '%User - LDAP label created in step 1%' with '%Chrome Install%' but even after forcing inventory on devices that should be included in this label, the label contains no devices.

    I have no idea where I'm going wrong. Can anyone expand on the provided solution with more detail or provide an alternative? My SQL skills are extremely limited. - thowa 5 months ago

Answers (2)

Posted by: ondrar 1 year ago
Black Belt
2

I have something that might work for you.

First, make a User LDAP label that looks for members of the AD group in question.  See the example below if you need help getting started with that part.

When the User Import runs, the users in that AD group will get this label in KACE.


Next, create a SQL Device Smart Label to look for the LDAP label of the user who uses the Device:

select
    M.NAME,
    U.FULL_NAME,
    GROUP_CONCAT(L.NAME SEPARATOR ', ') AS LABEL,
    BIOS_SERIAL_NUMBER
from USER U
join MACHINE M on U.FULL_NAME = M.USER_FULLNAME
join USER_LABEL_JT UJT on U.ID = UJT.USER_ID
join LABEL L on UJT.LABEL_ID = L.ID
group by U.FULL_NAME
HAVING GROUP_CONCAT(L.NAME) LIKE '%User - LDAP label created in step 1%'

This will only return one device per user, so you may need to modify as necessary.  Also works as a handy report.

Hopefully this helps!

Posted by: Timokirch 1 year ago
4th Degree Black Belt
0

Hi LosNats456,

in default we can't dynamically group devices on user ad attributes. What you can do is running a script which echos all of the usergroups to a textfile and doing an inventory afterwards. Over a custom inventory you can then put the device in a label. Would that work for you?

Kind Regards

Timo

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ