Migrate from One OU to another OU in AD based on machine communication with JSS

ukspvmalapati
New Contributor III

Hello All,

Need your suggestion to move machine from: Domain/Clients/Mac to Domain/Clients/Mac/Disabled, if the machine is not communicating with JSS for more then 30 days. Migration should happen automatically.

Once the machine connects to JSS, machine should move back to normal OU.

Also I would like to delete machine from AD if the machine hasn't connected to network or JSS for more then 90 days.

Thanks in advance.
Venu Malapati

3 REPLIES 3

ukspvmalapati
New Contributor III

hi All,

Have you got any suggestion on this?

Thanks & Regards
VM

mm2270
Legendary Contributor III

You can't do something like this with Jamf Pro, because your premise is based on the fact that the Mac is no longer communicating with Jamf Pro. In that case, it's not possible to run any policies, scripts or commands on the device. By the time it finally checks in, you won't want to move it to a disabled OU, so it's way after the fact. Even if Jamf could somehow do this (and it cannot), this is more of a back side Active Directory thing, since moving OUs for a Mac, from the Mac, would involve un-joining and rejoining the Mac to AD using a different OU. I would look at what might be possible from the AD perspective instead.

A couple of optional things to consider:
You can have something run once per day, like a local script, that would use the API to locate any Macs that haven't checked in within 30 days, and add some label to them, maybe with an Extension Attribute to indicate they are MIA, or perhaps drop them into a Static Computer Group. That won't do exactly what you're after on the AD side, but it will give you some visibility on which Macs are not checking in.

Second, if you're using a pretty recent version of Jamf Pro, you now have the option of setting up an Advanced Search to automatically send an email with a report attached to members of your AD team. The search/report can locate any Macs that have not checked in within 30 days. You can include as much or as little detail as you want in that report. They can then use it to find the Macs in AD and move them to the Disabled OU.

hdsreid
Contributor III

Is there a reason that you are trying to do this through Jamf and not through AD? if you look up how to do this in AD, you will find a few ideas on how to accomplish this: https://community.spiceworks.com/how_to/125704-how-to-find-and-remove-stale-users-and-computers-in-active-directory for example
This powershell script may also be a good start to automate this process from a Windows box: https://github.com/cosine83/powershell/blob/master/Disable%20and%20Move%20Inactive%20Computers.ps1

So while you cannot do this stuff using Jamf as the interface, it is all quite possible with AD itself