We recently had a need to deploy a notification to any user that was a member of a specific domain group. The idea was that this message would be a nag-o-gram that would repeatedly remind the user to take an action. Once they perform the action, they get removed from the group.
We considered configuring this using a login script with Active Directory so that each time the user logged in they would get the notification. However some users might only log in once a month. We couldn't use a Symantec Management Platform task upon login either for the same reason. So by sending the nag-o-gram to the PC we could make it execute EVERY day, until the user gets annoyed enough to go resolve the issue they were being notified about.
- The Symantec Management Console and Active Directory Imports
- Wise Script that notifies the user
- SMP Policy that prompts the user
The Symantec Management Console and Active Directory Imports
The only method we were given to determine whether a user had completed the action was that they were a member of a certain active directory user group. Once the user fulfilled the task they would be removed from the group. So we need to target the PCs that the user logged into. We determined the best way to do this was to import the users in AD and convert them to a PC list.
We used the "Microsoft Active Directory Import" feature of the Symantec Management Console. We configured a rule that would import user resources from our domain, a specific group and using the default column mappings and resource associations. This import for all users would happen on the a daily schedule. I might note that in 7.1 the LDAP queries are filtered to explicitly request the groups that the import rule is configured for. In 7.0 you import the whole mess and then filter it, so it's a bit more intensive.
Now we have two directory filters. We want to use the "Users to Machines" filter when we create our policy later.
Wise Script that notifies the user
Next we needed to get a wisescript that would notify the user of the action they needed to take. However just be safe we needed a check that would verify the user was still a member of the Active Directory group. To do this I found a wise script on Connect that would do this. However the script just called a VBS file that did the real work. The VBScript wasn't included so I wrote my own and posted it on Connect. It does a check using environment variables to see if the user a member of a group. The group name is passed to the script as a variable. It returns an exit code of 100 if they are a member of the group and an exit code of 200 if they are not a member of the group.
I wasn't sure if this would work at first since it grabs environment variables. However as long as the notification is run under the user context instead of the system context, there should be not problems. Since this is only a notification and not a software install this would work. If I ever need this feature for a software install instead of a notification I may have to find another way to determine who is currently logged in the machine and check the group membership based on that.
SMP Policy that prompts the user
Under jobs and tasks I created a new task. I selected Package Delivery under Software for the task type. This allows you to create a software package as part of the process. Since this is a notification and not an actual software install, this seemed like the best course of action.
I was sure to set the advanced run options so that it would "Run as" the Current logged-on-user. I also set the "Task can run" option under "User run conditions" to Only when a user is logged on and made sure that the Allows user interaction checkbox was checked.
At this point I could have added my Active Directory filter in here, but we seem to have better success for large numbers of PCs when we create a policy. So next under "Manage Policies" in the Symantec Management Platform console I created a managed Software Delivery that would run the task I selected earlier and with the Active Directory Filter I created earlier. I setup a schedule for it to run every day. Since the AD import runs daily, they should drop out of the list once they are removed from the group.
Wrap-up
Now we've created a process to nag a user to take care of task every day until they complete it. This relied on AD Imports, VBScripts, WiseScripts and of course the Symantec Management Platform. I hope this is useful to you.