The information in this article applies to:
• Prism Deploy 5 and newer
• Prism Pack 5 and newer
Note: This functionality has been superceded by the Member_Of operator that is part of Policy Commander 1.5 and above and Prism Suite 7.0.3 and above. See the Related Articles section below.
You must first install and register the DLL on your target systems in order to use the functionality. Copy the DLL to the target computers, then run "REGSVR32 SECGROUP.DLL" to register it with the system. The location of the file is irrelevant, though obvious choices would be the “C:\Program Files\Prism Deploy\Client” folder or “Common Files\New Boundary” folder. The simplest way to install the DLL is to build a Package capturing these steps and deploy it with your usual methods. Alternately, use the Package that New Boundary Support has created. Our Package copies SECGROUP.DLL to the folder “C:\Program Files\Prism Deploy\Client” and registers the DLL in this path.
To use the DLL’s functionality, select Value Type <Custom> when defining a User-Defined Configuration Group in Prism Deploy Console or when creating a new Installation Rule within the Editor. Enter "Security Groups" "<GroupToSearchFor>" in the text box. <GroupToSearchFor> is the domain (if necessary) and name of the security group you’re interested in. Domain level security groups require that you type in the name of the domain, then the name of the security group. Local built-in security groups only require the name of the group. For example, to find members of the built-in (local) security group "Administrators", just enter the name. To find members of a domain group, the syntax is "<Domain>\<Group Name>" (e.g. "NewBoundary\Dev"). The backslash separates the domain and group name.
If a match is made between <GroupToSearchFor> and a security group, the DLL returns the value "True", otherwise it returns "False”. Hence, the only useful choices for the value field in the rule wizard are "True" and "False".
<Custom> “Security Groups” “<GroupToSearchFor> = True/False
<Custom> “Security Groups” “Builtin\Administrators” = “True”
<Custom> “Security Groups” “NT Authority\Authenticated Users” = “True”
<Custom> “Security Groups” “Everyone” = “True”
<Custom> “Security Groups” “Domain\Accounting” = “True”
<Custom> “Security Groups” “%userdomain%\Domain Admins” = “True”
<Custom> “Security Groups” “LocalComputerName\LocalGroupName” = “True”
<Custom> “Security Groups” “%computername%\LocalGroupName” = “True”
Optionally, set up the rule to search for all matches to a group name using wildcard characters. Leave the <GroupToSearchFor> field empty (“”), then enter the characters you wish to search for in the value field rather than specifying True or False. Using this method, only MATCHES and GREPMATCHES can be used as the operator.
<Custom> “Security Groups” “” MATCHES “*Domain\*admin*”
<Custom> “Security Groups” “” MATCHES “*_thinclient*”
Note that the wildcard character “*” must be specified at the beginning and end of the string within the value field.
New Boundary has included the utility LOGGROUPS.EXE. When launched from a command-line, LOGGROUPS.EXE writes a Unicode format text file listing the names of all the security groups found for the currently-logged user. The file WRITELOG.TXT is written to the same folder from where the utility was launched. It can be used to assist you with the syntax for creating a Security Groups custom rule.
NOTE: The Security Groups custom DLL was written for the NT family of OS’s only; the functionality is not supported on Win9x systems. Windows 9x and computers that do not have SECGROUP.DLL installed and registered will not successfully run the rule. Thus Package installations using the SECGROUP DLL as an installation rule will fail. Likewise, Prism Deploy target systems lacking the SECGROUP.DLL will not be able to add themselves to the custom configuration group defined by the DLL.