Given an AD Security Group of 621 users, how can I target them with a Managed Install?
Hello,
I've been asked to push some accounting software to our accountants. The only place this list of users is defined is in a global Security group called Accountants. The users are in different OUs based on their geographic location. I had hoped KACE would be able to associate the users with their machines and target that way.
How can I use this list of users to target them for a Managed Install?
I tried an LDAP label like this:
Type: Device
Base DN: DC=company;DC=net
Advanced Search: samAccountName=Accountants
This label applied to every machine as it checked in.
Also tried
Type: User
Base DN: CN=Accountants,OU=Houston-Security Groups,OU=Houston,OU=Region - GC,DC=company,DC=net
Advanced Search: (samaccountname=KBOX_USER_NAME)
This applied to every user (3 tested, member and notmember of Accountants), and they had to log into the K1000 web to apply the label.
I've been asked to push some accounting software to our accountants. The only place this list of users is defined is in a global Security group called Accountants. The users are in different OUs based on their geographic location. I had hoped KACE would be able to associate the users with their machines and target that way.
How can I use this list of users to target them for a Managed Install?
I tried an LDAP label like this:
Type: Device
Base DN: DC=company;DC=net
Advanced Search: samAccountName=Accountants
This label applied to every machine as it checked in.
Also tried
Type: User
Base DN: CN=Accountants,OU=Houston-Security Groups,OU=Houston,OU=Region - GC,DC=company,DC=net
Advanced Search: (samaccountname=KBOX_USER_NAME)
This applied to every user (3 tested, member and notmember of Accountants), and they had to log into the K1000 web to apply the label.
2 Comments
[ + ] Show comments
-
I have a similar setup, not sure what KACE is. but Using RPC I can tell any workstation to start an install or copy a file etc. - perceptus 8 years ago
-
I have been following a few related KACE questions regarding the tie between AD users and their PC's in the K1000. From what I'm observing is, the users don't populate the LDAP label unless they log into the K1000. Is that correct? If so, there has to be a better way while the plumbing is in place! - worzie 6 years ago
Answers (2)
Answer Summary:
Please log in to answer
Posted by:
BHC-Austin
8 years ago
Top Answer
I use an LDAP label to identify what PCs my IT Staff are logged into. You were on the right track with the device label, but your filter needs to be based on the user name.
It would look something like this:
Type: Device
Base DN: DC=company,DC=net
Advance Search: (&(sAMAccountName=KBOX_USERNAME)(memberOf=CN=Accountants,OU=Houston-Security Groups,OU=Houston,OU=Region - GC,DC=company,DC=net))
Comments:
-
Imagine my surprise when a year and a half later I decide to revisit this problem and find my own post.
I get the expected user list when I do the memberOf search in LDAP Browser and thought I was gravy, but ALL devices started getting tagged in it after check in.
LDAP Browser gives no results when I add the &(sAMAccountName=KBOX_USERNAME). Hrm.
EDIT: I found https://support.quest.com/kace-systems-management-appliance/kb/112277 and see the KBOX variable is necessary but must be changed for testing. WIP. - vmann 7 years ago
Posted by:
okador
8 years ago
Did you try gpo on computer policy, with software package deployed from file share?
