RE: AD/LDAP Security Groups?

@theopenem_admin
Very very cool, I did run into an issue though, but it might be an edge case. I'm now getting "Failed" for a last run status on LDAP Sync (bind tests OK). It has ingested the security groups, by name, but membership is at 0 for all of them. It looks like this log message is the relevant exception occurring:

System.Data.Entity.Infrastructure.DbUpdateException: An error occurred while updating the entries. See the inner exception for details. ---> System.Data.Entity.Core.UpdateException: An error occurred while updating the entries. See the inner exception for details. ---> MySql.Data.MySqlClient.MySqlException: Cannot add or update a child row: a foreign key constraint fails ("theopenem"."group_memberships", CONSTRAINT "GROUP_FK" FOREIGN KEY ("group_id") REFERENCES "groups" ("group_id") ON DELETE CASCADE ON UPDATE NO ACTION)

I went through the update sequence as listed in the guide, any chance I dropped a stitch and this one's on me?

Trying to build a check for 'missing software' when computers are members of a certain AD group.
Easy to tag categories to AD groups, and easy to tag categories to software-check dynamic groups.

With the limitations on "Not" to a single line query, my intent was to create an inverse group, i.e. {Not, Category, Category_name=} and then tag that dynamic group with a category and then have yet another group looking for members of both it and AD presence category.

It seemed the best, if roundabout, method to do a missing check within an AD subset without building/downloading policy into the computer and running a powershell script as a condition.... but it appears Not, And, Or do not return the results with category members, only "No Results" so it's a non-starter. Example in photo, MS & HS category has 95 members, LanschoolAir has 89 members, the groups overlap.

Suggestions, thoughts, or 'nope, can't happen' all welcome I could easily be missing a better, simpler, logic solution to this.

I found the delete cache option a bit late myself (entirely my overexcitement to play with a new toy). Script to the rescue, Toems cleaning up Toems:

Get-ChildItem -Path "C:\Program Files\Toec\AppData" -Include *.* -File -Recurse | foreach { $_.Delete()}

I have one that burns the log file on the clients as well, set for a 2-month cycle. Might bite me, might not. But this way I leave the folders intact and toast any cached installers inside of them I forgot to flip the switch for (I'm looking at you, oh bloated Adobe).

Justs tacking this on in case others find the thread looking for a similar function. I've got a better workaround in place than my previous plan, and it mercifully doesn't need an additional PS module; doing this without Get-ADuser since it has to run on the end device was my happy place.

Using the following as a conditional for a theopenem policy, replace the $group at the end with your match/search criteria:

$machineDN = "(&(objectCategory=computer)(objectClass=computer)(cn=$env:COMPUTERNAME))"
$userdn = ([adsisearcher]$machineDN).FindOne().Properties.distinguishedname
$strFilter = "(member:1.2.840.113556.1.4.1941:=$userdn)"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://rootDSE")
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = "LDAP://$($objDomain.rootDomainNamingContext)"
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$colProplist = "name"
foreach ($i in $colPropList){
   $objSearcher.PropertiesToLoad.Add($i) > $nul
   }
$colResults = $objSearcher.FindAll()
$results = foreach ($objResult in $colResults)
    {
      $objItem = $objResult.Properties
      $objItem.name
      }
$group = "PUT YOUR GROUP NAME HERE"

If ($results -contains $group)
{exit 0} else {exit 1}

All credit to the good folks over at stackoverflow for having the pieces for this among a few threads. It might not be as concise as it could be, but it does run quickly.

I could see an ldap-based toems group with additional dynamic options being useful for some, but for my purposes, I don't see more than just criteria being a necessity (at least within my view of the horizon).... unless I wanted that group to then purge (NOT application,name) members that have finished installing or whatever other action applies... Either way its definitely a step saver. I've got a good workaround I tested out last night with an Adobe CC deploy using the cert trick. Even baked in a cleanup action (still not sure what housekeeping happens with the toec/appdata resources and adobe was a special case because of an obnoxious size) into the GPO, after toems does its thing... good 'ol item level targeting, brutal but effective.

I could see it tripping up if it can't drill down, i.e. dynamic group looking for CN=Student-Computers which contains CN=High_School_Machines... with group members CN=2023, CN=2024 inside of that... with the computers in question being members among those bottom-rung groups. Worst case, an OR with the base direct-add groups gets the job done, and meeting a system halfway is more than fair. As you said, might prove a little challenging, but I'll gratefully work with whatever the structure provides. Thanks again very much for everything built so far; I'll definitely be name-dropping your resource around my little corner of the education industry, there are a few of us out here yet who aren't running an all-chromebook fleet .

@thanatos8088 Replying to my own thread, but I do have to add that having come over from Clonedeploy and a mixed bag of other tools (including SCCM) I'm loving this management solution and deeply grateful for everything it has, security groups or not.

Obvious request (at least to me) but I'm not seeing this asked elsewhere. I was wondering what the stance was on including AD security group presence as a dynamic group criteria?

I'd be the first to admit I don't know how problematic this would be to construct. I know listing is possible within powershell (and the right module in place), and for LDAP users a cmd line "whoami /groups" would get the job done, but isn't helpful for the machine membership...

Just thinking of ways I could save touch-points for policy and have a bit more flexibility for change. Current workaround is to throw a purposeless user certificate out to the device with a specific friendly-name and have Toec watching for that. It's a bit circuitous, and I'm probably missing an obvious 'easier' way.