Smart Label for LDAP?
We use a K1000 to push out various applications and updates but are now being asked to apply a certain label only to new users. What I'd like to do is create a label based on the "Record Created" date under system information, and apply it to computers with a date after X. I've gone through the Smart Label and LDAP label wizards but there doesn't seem to be a way to build a label from that record without knowing the proper SQL commands - which I obviously don't.
If some kind soul would point me in the proper direction, I'd be extremely grateful.
If some kind soul would point me in the proper direction, I'd be extremely grateful.
0 Comments
[ + ] Show comments
Answers (5)
Please log in to answer
Posted by:
GillySpy
13 years ago
I'm not certain what is being asked here so here's a thought and then some questions below:
You cannot apply a smart label to users. Smart labels can only be applied to machines, patches, software, dell updates and ip scan results. However, an LDAP label is a smart label of sorts except it acts on Users. LDAP labels are applied when users login and use information based on LDAP filter criteria instead of a SQL query of data about the kbox user record. You can only use data from LDAP in these filters. However, this FAQ can help you to keep your LDAP labels in sync with your users without having them login:
http://www.kace.com/support/kb/index.php?action=artikel&cat=7&id=1094&artlang=en
There is an LDAP (AD) attribute called "whenCreated" that you could use in your search filter to identify when the object was created in the directory rather than in kbox.
If you don't need to keep the LDAP labels in sync then you would have to have at least one and maybe two rules that run on a regular schedule (e.g. daily). One rule would label new users; the other, optional rule would "unlabel" users that are no longer new. If you plan on manually un-labelling them that works too, but make sure that you have some way of identifying users that have been unflagged -- if the only criteria is date then they would be relabelled when the rule is next run.
There may be a simpler way but I'm not certain exactly what your end goal is:
- What are you trying to label? are you truly wanting to label users? Or is it just machines?
- is the "newness" of the labelled object dependent upon the creation date of the user or the machine record or both?
- what is the purpose of the label?
--> it just dawned on me as I write this that you might be doing something that I was surprised was such a common practice out there, a practice I heard from a lot of users while at konference. It seems to be a common practice for customers to put a newly imaged machine on the network and want the K1000 to push that software out ASAP. This brings up a whole debate for me around compliance, even if it's just internal compliance. Why is it more important for a new machine that is out-of-compliance to get software then an older machine that is out-of-compliance? What if the "older" machine is a week old? Where do you draw the line and why is a date line being drawn at all? Why not deploy software to machines that need it regardless of the age? If you have an older machine that is out-of-compliance how did that happen -- is there a deeper problem with your network policies (logic / enforcement / technical problem)? So if age is not so important anymore then your labeling question on time is moot and you can focus on inventory which the smart label wizard should be able to do for you in most cases.
IF you were wanting to label machines that were created within an X day time period you would add this SQL to your smart label:
You cannot apply a smart label to users. Smart labels can only be applied to machines, patches, software, dell updates and ip scan results. However, an LDAP label is a smart label of sorts except it acts on Users. LDAP labels are applied when users login and use information based on LDAP filter criteria instead of a SQL query of data about the kbox user record. You can only use data from LDAP in these filters. However, this FAQ can help you to keep your LDAP labels in sync with your users without having them login:
http://www.kace.com/support/kb/index.php?action=artikel&cat=7&id=1094&artlang=en
There is an LDAP (AD) attribute called "whenCreated" that you could use in your search filter to identify when the object was created in the directory rather than in kbox.
If you don't need to keep the LDAP labels in sync then you would have to have at least one and maybe two rules that run on a regular schedule (e.g. daily). One rule would label new users; the other, optional rule would "unlabel" users that are no longer new. If you plan on manually un-labelling them that works too, but make sure that you have some way of identifying users that have been unflagged -- if the only criteria is date then they would be relabelled when the rule is next run.
There may be a simpler way but I'm not certain exactly what your end goal is:
- What are you trying to label? are you truly wanting to label users? Or is it just machines?
- is the "newness" of the labelled object dependent upon the creation date of the user or the machine record or both?
- what is the purpose of the label?
--> it just dawned on me as I write this that you might be doing something that I was surprised was such a common practice out there, a practice I heard from a lot of users while at konference. It seems to be a common practice for customers to put a newly imaged machine on the network and want the K1000 to push that software out ASAP. This brings up a whole debate for me around compliance, even if it's just internal compliance. Why is it more important for a new machine that is out-of-compliance to get software then an older machine that is out-of-compliance? What if the "older" machine is a week old? Where do you draw the line and why is a date line being drawn at all? Why not deploy software to machines that need it regardless of the age? If you have an older machine that is out-of-compliance how did that happen -- is there a deeper problem with your network policies (logic / enforcement / technical problem)? So if age is not so important anymore then your labeling question on time is moot and you can focus on inventory which the smart label wizard should be able to do for you in most cases.
IF you were wanting to label machines that were created within an X day time period you would add this SQL to your smart label:
and MACHINE.CREATED > DATE_SUB(NOW(), INTERVAL X /*change X */ DAY)
Posted by:
skyking
13 years ago
Thank you very much for your reply, GillySpy. I'm sorry I wasn't clearer. You also bring up some excellent points that concerned me as well. However, the decision was made that all computers added to Active Directory from X date need to have a certain piece of software installed on them or there will be consequences. Extant computers will gradually be brought into compliance later. I know that sounds rather, um, odd, but that's what I'm working with.
I'm afraid I mixed "user" and "computer" rather thoughtlessly. I am referring to the new user's machine. I need kbox to query all computers, check the date they were added to AD (or kbox since both accounts are created at virtually the same time), locate the ones that were created on or after 11/21/2011 (for example), check to see if the software has already been installed and, if not, push it - without taking down the network, of course. Automatically sending out an email of instructions to the users whose computers just received the software would be a big bonus.
This is all new to me and I'm trying hard to get caught up fast. So, if there are better ways of accomplishing the task, I'm certainly open to them.
I really appreciate the help.
I'm afraid I mixed "user" and "computer" rather thoughtlessly. I am referring to the new user's machine. I need kbox to query all computers, check the date they were added to AD (or kbox since both accounts are created at virtually the same time), locate the ones that were created on or after 11/21/2011 (for example), check to see if the software has already been installed and, if not, push it - without taking down the network, of course. Automatically sending out an email of instructions to the users whose computers just received the software would be a big bonus.
This is all new to me and I'm trying hard to get caught up fast. So, if there are better ways of accomplishing the task, I'm certainly open to them.
I really appreciate the help.
Posted by:
GillySpy
13 years ago
if a new user's machine is also new to kbox then a simple smart label to identify them based on a DAY range would be:
e.g 2 full days (plus today's partial) => X=2
NOTE: Since smart labels are applied on inventory that if the machine stops checking in then it may never lose that label.
select MACHINE.ID
FROM MACHINE
WHERE DATE(MACHINE.CREATED) >= DATE_SUB(CURDATE(), INTERVAL X DAY)
e.g 2 full days (plus today's partial) => X=2
NOTE: Since smart labels are applied on inventory that if the machine stops checking in then it may never lose that label.
Posted by:
skyking
13 years ago
Posted by:
GillySpy
13 years ago
Glad it's working!
Comments:
-
found the answer - dkurz8814 12 years ago
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.