Trying to import machines into a kace label based on computer group membership
Started looking into the Power Management options within Kace, basically we have created a number of AD groups with subsequent Kace labels to match.
When runing through the LDAP label I can connect, test label succeeds but it never imports the computer accounts. Looking at the ldap criteria I have the following
Search Base DN: dc=mydomain,dc=uk
Search filter: (&(cn=KBOX_COMPUTER_NAME)(memberOf=CN=PwrPlanA,OU=Power Policy,OU=KACECustomGroups,ou=kace,OU=Applications,OU=Groups,OU=Work,DC=mydomain,DC=uk))
If I run this query from ADUC omitting the 'KBOX_Computer_name' syntax it returns results. However from the Kace console, query completes with no matching entries found and as a result no machines are imported into the corresponding label.
For info, similar ldap query works beautifully for users based on sec group query but not on computers.
Answers (6)
Looks to me like chucksteel is correct. I just finished working through this myself, and the only difference is that I used (&(objectclass=computer)(name=KBOX_COMPUTER_NAME)(memberof=.....)) for my search filter. There is really no need for the "objectclass" portion in my case, but it works with or without it, so I left it in.
One more thing to keep in mind is that you will not see the Labels filling up immediately. They will be populated as the affected machines perform their inventory operations.
The only other thing I see is that one of the "Power Policy" OU has a space in it. I don't think that will throw it off, but perhaps the string needs to be in quotes? What happens when you use the KACE LDAP Browser? Can you browse all the way to the PwrPlanA group?
Looks like your Search base in incorrect
dc=mydomain, dc=uk
Comments:
-
that was a typo in the screen grab. - GCornelius 12 years ago
Need some help here guys, been on this for two days, simple LDAP query from ADUC works without fault, however KACE ldap seems a little illogical. Been trawling the web and ITNinja, someone must have come across this one!
Are you sure that the syntax is cn=KBOX_COMPUTER_NAME? All of my LDAP labels use name=KBOX_COMPUTER_NAME.
This work for us:
BaseDn looks at root of computers OU
Filter:(&(memberOf=CN=company_PwrPlanA,OU=Power Policy,OU=KACECustomGroups,OU=Kace,OU=Applications,DC=mydomain,DC=uk)(name=KBOX_COMPUTER_NAME))
Have to admit this is a bit frustrating, had a very similar and working user filter using KBOX_USER_NAME querying group membership, then attempted the same with KBOX_COMPUTER_NAME, didn't work, tried again, walked away, slept on it, had colleagues check it over, made coffee, then suddenly it worked.
Remember that when testing within Kace to change 'kbox_computer' with a real device name or part of it, i.e. 'lap12*' to see any results and await the device to report into the inventory. For testing I always force the inventory from the client by running "C:\Program Files\Dell\KACE\runkbot.exe" 4 0, it's quicker than navigating through the inventory and forcing from there.
We use:
BaseDN pointing at the computers OU.
Then a filter of:
(&(memberOf=CN=Company_PwrPlanA,OU=Power Policy,OU=KACECustomGroups,OU=Kace,OU=Applications,OU=Groups,DC=mydomain,DC=uk)(name=KBOX_COMPUTER_NAME))
Have to admit this frustrated me greatly. I had a similar group membership filter for users with 'KBOX_USER_NAME' instead of ''KBOX_COMPUTER_NAME'' so swapping the variables made sense. It didn't work, tried multiple times, copy paste, write from scratch, had colleagues to check it out, slept on it, then a hard coffee, it worked.
As John pointed out, you'll need await the inventory update, for testing I always use '"C:\Program Files\Dell\KACE\runkbot.exe" 4 0' of a test device as it saves navigating the kace console to force inventory update from there.