Check Active Directory Connection: Casper Suite

We’ve had quite a few cases where we want to monitor the connection a Mac has with Active Directory.

The main purpose is to spot issues early and ideally apply a fix before the user is impacted. We’ve used a Casper Extension Attributes for years but as many of you will know, these only update on a full inventory update.
Updating all inventory information is a bit overkill so more recently we’ve tested a different workflow:

  • At a pre-determined time, clients check their AD connection status and report back just that value to their corresponding JSS record
  • A Smart group looking for failures reported will find computers that have lost connectivity
  • The Smart group is configured to email the IT team
  • Optionally, a separate policy can run to re-join the Mac to the domain, re-test the AD connection and update the EA.

The last step is really useful for school labs as the Macs go ahead and fix themselves!
The basic idea is to use a text field EA, a script in the JSS activated by a policy, the script checks for AD connectivity and uses the REST API to upload the result.
So if you want to know how to set this up for yourselves, read on.

The steps involved

  1. In your JSS, create a text field EA. This is used to hold the value reported by the AD check script. In this example we’re calling it “AD Connection Status”
  2. Create a user specifically for interacting with the API. In this scenario, the only privileges needed are:
    Update: Computer Extension Attributes
    Update: Computers
    Update: Users
    Everything else should be unchecked
  3. Add our AD check script to your JSS:
  4. Edit the “apiURL”, “apiUser” & “apiPass” with the respective values for your JSS URL and the username and password for the API user account you created
  5. Create a policy to run as frequently as you need, setting it to run the script added in the previous step
  6. Create a smart group that checks “AD Connection Status” is “No connection to the domain”, sending an email notification on membership change if you want to

At this stage you can decide whether you’d like to create another policy scoped to that group to re-join AD, or investigate the issue in more depth.
An example – What we do for school labs
Using the above method, we set the lab computers to start-up at 07:00 on weekdays (using an energy saver configuration profile) and the policy to run at 07:15.
If there is an issue found with any device, the EA is updated, they are added to a smart group, and we run a policy to re-join AD and then re-run the check AD script.
If the re-join fails, we use the email notification built-in to the JSS “Error occurs when policy runs” for a tech to investigate and resolve.
Hopefully this is of use to some of you. If you wanted a little more info, here’s some extra links:
EAs & Smart Groups:
Update your Extension Attributes – Often from mm2270 on JAMFNation –
The JSS REST API for Everyone –