Dynamic Collection - Check whether current user is member of specific AD group?

Comments

3 comments

  • Luke Nichols

    I'm not aware of any way to do this natively in PDQ Inventory. You could probably use PDQ Inventory to generate a CSV, use PowerShell on that CSV to get a text file, and then feed that text file back into PDQ or something along those lines, but I foresee several issues with your approach.

    The "Current User" field is not a reliable indicator of who owns a computer. It is literally just the user that was signed in during the last scan. For example, I have 1039 computers in my environment and running a dynamic collection of machines with a non-blank "Current User" field returns only 561 computers. The rest had no user signed in during the last scan.

    If there is a shared computer or if e.g. someone from IT remotes into a machine while it is being scanned, it will screw up your dynamic collection.

    Unfortunately this is not a good way to do this, you need to have a reliable database of who owns which PC. Once you have that database you can query AD for a list of users in the group. Then, query your database for only computers owned by the users in your database and deploy to those computers. The "Current User" field just doesn't do what you want it to do.

    The database that I mentioned earlier could easily be a custom field in PDQ but you would have to do the necessary data entry to populate it. PDQ does not have a way to magically determine which computers are owned by which users.

    1
    Comment actions Permalink
  • ah

    Hi Luke,

     

    thanks for your help! However, I'm well aware of those caveats, and our company and hardware setup is such that the Current User field is in fact a very good indicator. Perfect, no, but it'll work fine for my purposes.

    Ultimately, though, the real database of who owns which PC is Active Directory. And my preferred way would be to check the "Managed by" value of the AD computer object in a filter. That value is an AD user object, and I'd then want to test for its membership of an AD user group.

    However, that "Managed by" field is missing from the AD computer fields I can pick from in PDQ Inventory for some reason?

    1
    Comment actions Permalink
  • Luke Nichols

    Unfortunately I can't think of any way to natively do this based on AD group within PDQ without having an additional step taking place in PowerShell. You are probably stuck either using the manually-updated regex method you mentioned or having an additional step in PowerShell to handle the external logic. However, I can think of a couple of ways to get at the "managedBy" attribute within PDQ without needing to use Current User:

    • See if you can get the "managedBy" AD attribute with a WMI scanner. I'm not sure if WMI has that info or not, this might be a dead end. I did some cursory searches on the internet and did a recursive search in WMI explorer for managedBy but didn't find anything.
    • Create a custom field in PDQ for managedBy and populate it. I'm pretty sure you could fully automate this. Basically just create a scheduled task that runs a PowerShell script to query all computers in whatever OUs PDQ Inventory connects to and return just the computername and the managedBy attribute. Then write that to a CSV. You could import that CSV into PDQ as a custom field using the command line which, again, could be automated: https://www.pdq.com/blog/adding-custom-fields-multiple-computers-powershell/

    Hopefully someone else has a better solution for you.

    0
    Comment actions Permalink

Please sign in to leave a comment.