(imported topic written by wnolan91)
I’m looking for a query or better yet a report that would give us a nice graphical printout of the Assigned Management Rights for all Users. I’d be happy if I could Select all the users and be able to print it out to show me the screen that Assign User Mangement Rights Naturally displays.
What I don’t want is a list of the devices that a user manages.
Thanks
Bill
(imported comment written by BenKus)
Hey Bill,
I think we can do something like this… What about a report that looks like this:
Operator1 - Tokyo - 4000 computers
Operator1 - NY - 20000 computers
Operator2 - Tokyo - 500 computers
Operator2 - London - 1500 computers
… and so on…
Will this meet your needs?
(imported comment written by wnolan91)
I’d be happier with a SQL output of what assigns the user rights.
So let say…
Operator 1 - (OS = “WinNT 4.0.1381” and “Active Directory” = “Blah… blah… blah”)
Operator 2 - (OS = “WinXP 5.1.2600”)
Thanks
Bill
(imported comment written by jessewk)
Bill,
Operator rights are assigned using relevance. I’ve created a little query that extracts the relevance and parses it into a more readable format.
I could use your help making sure it works correctly for you. In my limited deployments here, it seems to work, but we don’t have a lot of operators with a lot of differently assigned management rights.
Will you make a custom web report with the following definition and let me know if it looks like it’s working for you?
The output looks like this for me:
thrush All Computers
turducken All Computers
tweety All Computers
yaku All Computers
nocontent_nmo All Computers
haku All Computers
jwk (it = “Mac OS X 10.4.8”) of ((operating system) as string) OR (it = “WinXP 5.1.2600”) of ((operating system) as string) OR (it = “192.168.100.0”) of ((subnet addresses whose (it as string != “0.0.0.0”) of ip interfaces whose (loopback of it = false) of network) as string) OR (it = “192.168.101.0”) of ((subnet addresses whose (it as string != “0.0.0.0”) of ip interfaces whose (loopback of it = false) of network) as string)
(imported comment written by ErnieF91)
I tried this report and it returned the relevance, not the result. Here’s a sample of what was returned:
adm-BenDover exists (if ( exists setting “_BESClient_ActiveDirectoryPathOverride” of client and exists value of setting “_BESClient_ActiveDirectoryPathOverride” of client ) then ( value of setting “_BESClient_ActiveDirectoryPathOverride” of client ) else if exists distinguished name of local computer of active directory then distinguished name of local computer of active directory else “”) whose (it as string as lowercase ends with “OU=Computers,OU=Coral Gables,OU=PDIC,DC=MyCompany,DC=com” as lowercase)
adm-jimshoe exists (if ( exists setting “_BESClient_ActiveDirectoryPathOverride” of client and exists value of setting “_BESClient_ActiveDirectoryPathOverride” of client ) then ( value of setting “_BESClient_ActiveDirectoryPathOverride” of client ) else if exists distinguished name of local computer of active directory then distinguished name of local computer of active directory else “”) whose (it as string as lowercase ends with “OU=Computers,OU=Stowmarket,OU=PDMC,DC=mycompany,DC=com” as lowercase)
(imported comment written by jessewk)
Ernie,
This is the behavior I would expect. The client evaluates the relevance on administrative rights actions to determine if a particular operator administers the machine. If the relevance is true, then the operator gets rights, otherwise no.
The report I created simply pulls the relevance from the action and parses out some of the error handling relevance to make it easier to understand. You will still need to read the relevance to determine the rights.
In the example you posted, I see that adm-BenDover has rights on computers in “OU=Computers,OU=Coral Gables,OU=PDIC,DC=MyCompany,DC=com” and adm-jimshoe has rights on computers in “OU=Computers,OU=Stowmarket,OU=PDMC,DC=mycompany,DC=com”