Scripting Question

Software Removal Based on AD Group Membership Change

01/16/2019 375 views


I'm working on a strategy to deploy software based on AD Group Membership. I've got the logic worked out with an LDAP Smart Label so that the software deploys via script.

I think i've reasoned out how to get the software to REMOVE via AD group change using smart labels. What i'm now curious about is whether i can script the removal of a label. I don't want to leave things lying around.

for example: 

Label: SoftwareInstall-PKG-X is an LDAP smart label.

I can create another smart label showing that a system has a software title and isn't in that group, and trigger the removal, but then the system still has the smart label applied to it.

how can i trigger the removal of a label?



3 Comments   [ + ] Show comments


  • created with the proper logic the smart label will remove itself ... duh.
    • Maybe I'm reading too much into your request. So the software already exists, you just need to have it removed if they no longer exist in the AD group? Then, yes, simply test for existence of software + AD group.
      • you're exactly right - that's what i was doing.
  • I'm going to follow this one. I have had a need for this in the past and unfortunately was unable to get over the fact that KACE is more device targeted, not user target. I want to believe it can be AD group targeted, but then you need to consider if that software needs to be removed every time a non AD member logs into that. Does it also remove it if an administrator logs in as well? Again, I'm more interested to see this get answered.
    • our use case is essentially more device based - i work at a college. we'd be deploying to public lab machines, so per device, and then to faculty/staff, and they don't share machines, so again, to device. we have group policies applied for user experience but i have a difficult time understanding why software would need to be removed from a machine if a non-ad user or administrator logs in. what is your use case for this? what are the machine roles? i've essentially solved my problem but am very curious about yours!
      • Ok, yes, so if a local user logs in, the KACE agent will see this as a member not in the AD group and perhaps remove your software.
  • why would you remove the software?

All Answers


Use AD groups for the machines that should have that software and Kace will read those via ldap.  For each software AD group create 2 smart labels. 

One for machines with that AD group. 

One for machines that do not have that AD group and that software exists on the machine.

Create MI install and use the label for machines that are in that AD group. 

Create un-install MI and use the label for machines that are not in that AD group and have the software installed

Then as you add or remove machines from the AD group the 2 SMA smart labels will update via ldap. The machines will update and have only one smart smart label for each software to whether they are in the AD group or not and the appropriate install or uninstall MI's will run

Answered 01/17/2019 by: SMal.tmcc
Red Belt

  • Actually, what i've done is use an LDAP Smart Label for the deployment, and a device smart label for the removal. The Device smart label logic is this: If software is present and device is not part of ldap smart label, get placed in removal smart label. since the logic is designed that way, the system will self-remove from the removal smart label after its next check-in.

Create a Device Smart Label. Criteria for the Device Smart Label should be to identify that the software is present on the device, and that the device does not have the LDAP SmartLabel used for installation  applied to it. In this way, the removal of the AD security group will trigger the LDAP Smart label to self update, drop the machine into the Removal Smart Label, and because of the structure of the Removal Smart Label criteria, the machine will self-remove from the Removal Smart Label at next checkin.

This appears to work without issue (as long as i don't screw up my scripting :P ) 

I'm using a combination of scripts and MIs to drop software on ... just depends on the software. I work for a business school and there are several open source stat utilities and mathematical notation utilities which we use.

Answered 01/17/2019 by: cdmead
Yellow Belt

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ