1 Reply Latest reply on Aug 13, 2018 2:20 AM by phoffmann

    Active Directory Device Management through Ivanti EPM

    karlehenry Apprentice

      I was wondering if anyone has any ideas or thoughts behind managing Active Directory Devices within containers for instances like:

       

      User A in Department A turns in Laptop A which has specific GPOs assigned for Department A (confusing I know, hold on , it may get worse.)

       

      User A leaves --> Laptop A is re-provisioned but stays in Department A container and still receiving Department A

      s GPO's but laptop A has been assigned to USER B who is in Department B (oh no!).

       

      So i know there is a way to have a script run on the core and compare AD to the Ivanti EPM database and perform cleanup when machines are removed from AD.  My question is, is there a way to say move a machine from one container to another during provisioning to remove GPOs from a specific device like Laptop A to put it into a non deployed state?

       

      Or is there a product that will handle this say Environment Manager for example.

       

      Any help is greatly appreicated.

        • 1. Re: Active Directory Device Management through Ivanti EPM
          phoffmann SupportEmployee

          So short answer is ... "not from within Ivanti natively".

           

          We generally don't "change" things in AD.

           

          Now - the longer answer is - "probably - but you'd need to script it".

           

          So - most likely you'd be looking at PowerShell. You'd face a few potential headaches (if the device has been re-provisioned & "lying aroud" for a bit, it's trust relationship with the domain might break, which is always fun). But in principle, I'd expect powershell to have functions to shuffle you around in AD ... you COULD run those as part of provisioning (though I suspect you'd probably benefit from running it in the last stage, once you're "in the OS proper").

           

          So - theoretically ... should be doable (via scripts / Powershell). It's not something that's available "out of the box" though, as - while we *DO* device management, fooling around with AD & GPO would make us (effectively) domain admins, and that'd be an additional layer of "a lot of rope for reckless people" potentially.

           

          I'm not accusing you of being reckless here - your idea/intention of automating things makes perfect sense. Just highlighting that some folks "leap before they think" and we tend to get blamed enough for it though we "merely" do as we're told.

           

          Hope that helps.