→ 🚀What's New? Explore Lansweeper's Fall 2024 Updates! Fall Launch Blog !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mshajin
Engaged Sweeper III
Hi

It would be a useful feature to have if deployment can be done to AD security groups. If we can link dynamic groups to AD security groups, that would be even better so any assets added to the AD security group in future would pick up the deployment automatically.

I also notice a lack of support for AD security groups in general especially computer security groups. This can make deployment tasks a lot easier.

Thanks.
1 ACCEPTED SOLUTION
Susan_A
Lansweeper Alumni
You can already do exactly what you are describing below just by slightly modifying the AD group report we linked to.
Say, if I want to have a piece of software installed to all computers in an AD security group including any future ones I add to the group, I can just set it and forget all about it rather than having to add to both AD groups and Lansweeper deployment group each time.


Below is another example that lists computers in a specific group called "Test Group" that are missing a specific software called "Test Software". You can replace the highlighted criteria with your own. Reports are inherently dynamic. If you add a machine to Test Group, it will automatically show up in the report. The only thing you need to ensure is that your network is actually rescanned so the group change is detected. This can be achieved through scheduled scans. If you then run a scheduled deployment on the report, any machines in the group will automatically receive the software.

There's no need for us to add the AD group field to the dynamic group feature as well. This feature is meant to be a stripped down, simplified version of the report builder found under Reports\Create New Report. We deliberately limited the number of fields it supports. If you need to build a "dynamic group" based on another field, you can simply create a report instead.
Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Firstseen,
tblAssets.Lastseen,
tblAssets.Lasttried,
tblADGroups.Name As ADGroupName,
tblADGroups.Description As ADGroupDescription,
Case tblADGroups.GroupType When -2147483646 Then 'security - global'
When -2147483644 Then 'security - local' When -2147483643 Then 'built-in'
When -2147483640 Then 'security - universal'
When 2 Then 'distribution - global' When 4 Then 'distribution - local'
When 8 Then 'distribution - universal' End As ADGroupType
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Left Join tblADComputers On tblAssets.AssetID = tblADComputers.AssetID
Left Join tblADMembership On tblADMembership.ChildAdObjectID =
tblADComputers.ADObjectID
Left Join tblADGroups On tblADMembership.ParentAdObjectID =
tblADGroups.ADObjectID
Where tblAssets.AssetID Not In (Select Top 1000000 tblSoftware.AssetID
From tblSoftware Inner Join tblSoftwareUni On tblSoftwareUni.SoftID =
tblSoftware.softID
Where tblSoftwareUni.softwareName = 'Test Software') And
tblADGroups.Name = 'Test Group' And tblComputersystem.PartOfDomain = 1 And
tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName

View solution in original post

10 REPLIES 10
Cam
Engaged Sweeper II
I would like to second mshajin's request for AD Groups being a Dynamic Group Option. Would come in Handy for Computers or Users.

Thanks,
Cam
Daniel_B
Lansweeper Alumni
Lansweeper rescans AD users and AD groups according to your settings under Configuration\Scanning methods.
Updates to existing accounts will be scanned once every 24 hours if you enabled the corresponding settings under Congiguration\Server options, section Asset cleaup options ("Refresh Active Directory computer details...") and User cleanup options ("Refresh Active Directory user details...")
ghelpdesk
Champion Sweeper
How often does the group membership get updated? If we add a group to another group in AD, how long before Lansweeper is likely to reflect that update.

Thank you
Susan_A
Lansweeper Alumni
You can already do exactly what you are describing below just by slightly modifying the AD group report we linked to.
Say, if I want to have a piece of software installed to all computers in an AD security group including any future ones I add to the group, I can just set it and forget all about it rather than having to add to both AD groups and Lansweeper deployment group each time.


Below is another example that lists computers in a specific group called "Test Group" that are missing a specific software called "Test Software". You can replace the highlighted criteria with your own. Reports are inherently dynamic. If you add a machine to Test Group, it will automatically show up in the report. The only thing you need to ensure is that your network is actually rescanned so the group change is detected. This can be achieved through scheduled scans. If you then run a scheduled deployment on the report, any machines in the group will automatically receive the software.

There's no need for us to add the AD group field to the dynamic group feature as well. This feature is meant to be a stripped down, simplified version of the report builder found under Reports\Create New Report. We deliberately limited the number of fields it supports. If you need to build a "dynamic group" based on another field, you can simply create a report instead.
Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Firstseen,
tblAssets.Lastseen,
tblAssets.Lasttried,
tblADGroups.Name As ADGroupName,
tblADGroups.Description As ADGroupDescription,
Case tblADGroups.GroupType When -2147483646 Then 'security - global'
When -2147483644 Then 'security - local' When -2147483643 Then 'built-in'
When -2147483640 Then 'security - universal'
When 2 Then 'distribution - global' When 4 Then 'distribution - local'
When 8 Then 'distribution - universal' End As ADGroupType
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Left Join tblADComputers On tblAssets.AssetID = tblADComputers.AssetID
Left Join tblADMembership On tblADMembership.ChildAdObjectID =
tblADComputers.ADObjectID
Left Join tblADGroups On tblADMembership.ParentAdObjectID =
tblADGroups.ADObjectID
Where tblAssets.AssetID Not In (Select Top 1000000 tblSoftware.AssetID
From tblSoftware Inner Join tblSoftwareUni On tblSoftwareUni.SoftID =
tblSoftware.softID
Where tblSoftwareUni.softwareName = 'Test Software') And
tblADGroups.Name = 'Test Group' And tblComputersystem.PartOfDomain = 1 And
tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName
mshajin
Engaged Sweeper III
Thanks, I am aware of this option from your previous post. It seems like a rather long way of achieving this but I can still use this method to deploy to AD security groups.

What I am really after is the ability to automatically deploy applications to members of AD security groups so that admins can just add new members to AD security group and forget the rest. Hence why I requested the ability to link AD groups to Lansweeper dynamic groups. There may be other ways of achieving what I am after like a scheduled deployment or dynamic deployment groups etc.
Daniel_B
Lansweeper Alumni
Apologies, I didn't consider AD security groups. These can only be used through custom reports. You need to
  • ensure that all your AD groups are being scanned. We recommend using Domain User Scanning in order to scan all OU's which contain AD groups. Afterwards rescan your computers.
  • Create a custom report which lists assets being member of a certain AD security group. This example report lists the AD group membership of computers.
  • Use your report as deployment target
mshajin
Engaged Sweeper III
Thanks, this is useful.

Although, I was requesting the ability to link dynamic groups to AD security groups not OU. I could have a number of computers from different OUs in a security group. Deployment via AD security groups is a common practice.
Daniel_B
Lansweeper Alumni
Not sure if that is what you are looking for, but you can use Computers OU's in dynamic asset groups. Under Configuration\Asset groups, section Dynamic Asset Groups, select your asset group, hit Add Filter and use a filter like
Computer OU Like "OU=Example,DN=Computers,DC=Domain,DC=TLD"

Alternatively create a custom report, add tblADComputers to your report, select tblADComputers.OU and under Criteria in the row of this field enter the distinguished Name of the OU.
mshajin
Engaged Sweeper III
Hi

That solves part of the problem, thanks. I was also requesting the ability to link dynamic groups to AD security groups as that would make automated deployments a lot easier. Say, if I want to have a piece of software installed to all computers in an AD security group including any future ones I add to the group, I can just set it and forget all about it rather than having to add to both AD groups and Lansweeper deployment group each time. Is this currently possible?

Thanks.