AppV Restrict Usage Via Machine Group Membership
Jump to navigation
Jump to search
- Note, I haven't tested this in a live environment yet! Had issues in past with the SUCCESSRESULT and ABORTRESULT bit not seemingly working , which may be because of bug noted below I didnt know about.
Contents
OSD dependancy inclusion - test machine group membership
Uses errorlevel from "findstr" in the .osd to determine wether to launch , this itself being determined by querying the launching machines security group membership on AD.
<DEPENDENCY> <SCRIPT EVENT="LAUNCH" TIMING="PRE" PROTECT="FALSE" WAIT="TRUE" TIMEOUT="0" SUCCESSRESULT="0"> <SCRIPTBODY LANGUAGE="BATCH"> adfind -default -f "&(objectCategory=group)(name=APPGROUP)" member -list | findstr /i "%computername%" \n </SCRIPTBODY> </SCRIPT> </DEPENDENCY>
- Note, BUG - Dont use BOTH SUCCESSRESULT and ABORTRESULT as App-V is buggy and breaks
adfind
Probably more flexible to use adfind which is standalone ~2mb .exe
see computers in APPGROUP, check %computername% is in it.
adfind -default -f "&(objectCategory=group)(name=APPGROUP)" member -list | findstr /i "%computername%"
which is effectively same as
adfind -b "cn=APPGROUP,ou=App-V Stuff,dc=richud,dc=com" member -list | findstr /i "%computername%"
OR reversing this
see groups %computername% is in, check computer is member of APPGROUP
adfind -default -f "&(objectCategory=computer)(name=%computername%)" memberOf -list | findstr /i "APPGROUP"
dsget
Using Microsoft's dsget, assuming available on client pc.
dsget group "cn=APPGROUP,ou=App-V Stuff,dc=richud,dc=com" -members | findstr /i "%computername%"