The information in this article applies to:
- Prism Suite 7.0.3 and above
- Policy Commander 1.5 and above
SUMMARY
There's a new MEMBER_OF operator for use in creating Smart Update groups (configuration groups). The operator can be used to retrieve security group membership in an Active Directory or pre-Active Directory structure. This replaces the custom secgroup.dll that was used in previous versions of Prism. However, there is no need to remove the secgroup.dll from managed computers or to delete existing configuration groups based on the secgroup.dll.
METHOD
The left-hand side of a ruleset using the MEMBER_OF operator is the name of a computer or user, and the right-hand side is the name of a group. The rule evaluates to “true” if the computer or user on the left of the operator is a member of the group on the right. It is false if the user or computer is not a member or if an error occurs. There are two possibilities for the syntax of user, computer and group names: canonical and domain.
1) Canonical
This is the Active Directory representation given by Prism’s existing ComputerADName and UserADName variables. For example, to find the computers where AD schema admins are logged in using canonical syntax, you would create a ruleset that looked like this:
UserADName MEMBER_OF “MyCompany.local/Users/Schema Admins”
The left-hand side of the ruleset can also be a computer in cases where that would be applicable.
2) Domain
This syntax can be used in NT, AD or mixed environments, and the left-hand side is always a user and never a computer. Prism’s new DomainUserName variable is used in the left-hand side of the ruleset. DomainUserName combines the current domain with the current user. When a domain user is logged in, the value resolves to “domain\user.” When a local user is logged in it resolves to simply “user.” When that local user is one of the predefined accounts, it resolves to “BUILTIN\user,” with “BUILTIN\SYSTEM” being the account when the client is running unattended.
To find the computers where schema admins are logged in, you would use this syntax:
DomainUserName MEMBER_OF “MyDomain\Schema Admins” –or-
DomainUserName MEMBER_OF “Schema Admins@MyDomain”
To find computers where local admins are logged in, you would use this syntax. (Remember, the Domain Administrators group is a member of the local Administrators group):
DomainUserName MEMBER_OF “Administrators”
NOTES
- Currently the MEMBER_OF operator does not see "domain local" groups when using the DomainUserName variable in the left-hand side of the ruleset. It only sees the groups marked "global" or "universal." You can work around this by using one of the AD variables instead (i.e., UserADName or ComputerADName).
- You can't mix and match the syntax. Both the left- and right-hand sides must share the same syntax as given above.
- Currently the result of the evaluation is always “false” when the client is running unattended.
- In both formatting cases, any problems encountered by the client in determining group membership result in the rule evaluating as "false.”
- The new operator is for the purpose of helping to determine group membership, not organization unit identity. You can use the existing "MATCHES" clause to figure out whether a user or belongs to a particular organization unit or not.