Hi all, I’m new here and am wondering if there is a way to use bigfix to automate AD group membership? What I’m going for here is we want to use bigfix to add a computer to a group automatically using a command like:
dsmod group group_dn -addmbr computer_dn
Is that even possible to do in BigFix? Or does Bigfix have any other way of doing AD management?
For example, we have some computers that use bitlocker for encryption and we want to automate adding those computers to the appropriate AD group.
Thoughts?
Thanks!
Brian
BigFix is very endpoint centric.
AD Management from an endpoint may have some undesirable architectural elements.
For example,
You could dos net localgroup administrators bob /add to add the bob account to the local administrators group on an endpoint.
Sample Fixlet here: https://bigfix.me/fixlet/details/3624
This works because the BigFix agent runs as local system and local system has authority over the local user groups.
It may be possible to run commands from the BigFix agent, and if those commands are run under a permissible security context, those commands might be convinced to interact with your AD.
The dsmod command seems like it would need to be run as a user that has rights on your AD to perform this action remotely from the endpoint running the action script.
Adding an AD group is not implemented on the terminal, but needs to be managed on the AD. GPO works better