AppV Restrict Usage Via Machine Group Membership

From richud.com
Jump to navigation Jump to search


  • Note, I haven't tested this in a live environment yet! Had issues in past with the SUCCESSRESULT and ABORTRESULT bit not seemingly working , which may be because of bug noted below I didnt know about.

OSD dependancy inclusion - test machine group membership

Uses errorlevel from "findstr" in the .osd to determine wether to launch , this itself being determined by querying the launching machines security group membership on AD.

<DEPENDENCY>
  <SCRIPT EVENT="LAUNCH" TIMING="PRE" PROTECT="FALSE" WAIT="TRUE" TIMEOUT="0" SUCCESSRESULT="0">
     <SCRIPTBODY LANGUAGE="BATCH">
     adfind -default -f "&(objectCategory=group)(name=APPGROUP)" member -list | findstr /i "%computername%" \n
    </SCRIPTBODY>  
  </SCRIPT>  
</DEPENDENCY>
  • Note, BUG - Dont use BOTH SUCCESSRESULT and ABORTRESULT as App-V is buggy and breaks

adfind

Probably more flexible to use adfind which is standalone ~2mb .exe

see computers in APPGROUP, check %computername% is in it.

adfind -default -f "&(objectCategory=group)(name=APPGROUP)" member -list | findstr /i "%computername%"

which is effectively same as

adfind -b "cn=APPGROUP,ou=App-V Stuff,dc=richud,dc=com" member -list | findstr /i "%computername%"

OR reversing this

see groups %computername% is in, check computer is member of APPGROUP

adfind -default -f "&(objectCategory=computer)(name=%computername%)" memberOf -list | findstr /i "APPGROUP"

dsget

Using Microsoft's dsget, assuming available on client pc.

dsget group "cn=APPGROUP,ou=App-V Stuff,dc=richud,dc=com" -members | findstr /i "%computername%"

ldifde

netdom

ldapsearch