Dynamic Collection - Check whether current user is member of specific AD group?
Hi all, please help me crack this one?
We are running PDQ Deploy and Inventory in Enterprise mode, v18.3.
I'd like to add a filter to my dynamic collection that does something like:
Computer --> Current User --> Is member of AD Group --> "ApplicationXYZ users".
In other words, we have a select group of users who have license for a specific application, and we'd like to automate deployment of the app to their PC's by maintaining the AD user group.
Can it be done?
Thanks in advance. :-)
PS: I realize that I can probably at least do "Computer --> Current User --> Matches expression --> <REGEX that lists all the user names>" - but maintaining this would be much more cumbersome and error prone than maintaining an AD user group.
Comments
I'm not aware of any way to do this natively in PDQ Inventory. You could probably use PDQ Inventory to generate a CSV, use PowerShell on that CSV to get a text file, and then feed that text file back into PDQ or something along those lines, but I foresee several issues with your approach.
The "Current User" field is not a reliable indicator of who owns a computer. It is literally just the user that was signed in during the last scan. For example, I have 1039 computers in my environment and running a dynamic collection of machines with a non-blank "Current User" field returns only 561 computers. The rest had no user signed in during the last scan.
If there is a shared computer or if e.g. someone from IT remotes into a machine while it is being scanned, it will screw up your dynamic collection.
Unfortunately this is not a good way to do this, you need to have a reliable database of who owns which PC. Once you have that database you can query AD for a list of users in the group. Then, query your database for only computers owned by the users in your database and deploy to those computers. The "Current User" field just doesn't do what you want it to do.
The database that I mentioned earlier could easily be a custom field in PDQ but you would have to do the necessary data entry to populate it. PDQ does not have a way to magically determine which computers are owned by which users.
Hi Luke,
thanks for your help! However, I'm well aware of those caveats, and our company and hardware setup is such that the Current User field is in fact a very good indicator. Perfect, no, but it'll work fine for my purposes.
Ultimately, though, the real database of who owns which PC is Active Directory. And my preferred way would be to check the "Managed by" value of the AD computer object in a filter. That value is an AD user object, and I'd then want to test for its membership of an AD user group.
However, that "Managed by" field is missing from the AD computer fields I can pick from in PDQ Inventory for some reason?
Unfortunately I can't think of any way to natively do this based on AD group within PDQ without having an additional step taking place in PowerShell. You are probably stuck either using the manually-updated regex method you mentioned or having an additional step in PowerShell to handle the external logic. However, I can think of a couple of ways to get at the "managedBy" attribute within PDQ without needing to use Current User:
Hopefully someone else has a better solution for you.