Timothy,
The POC script looks like it's on the right track. You have pointed
out a valid problem, though; removing users from particular "groups"
is not easy. Currently, the Dynamic Manifest API is designed to only
work for a single entity. So for users/owners, you can only
get/add/del a single owner mod. In order to remove a user from a
particular manifest mod, you'd have to know the user was removed from
an AD group then HTTP DELETE using the API:
http://code.google.com/p/simian/source/browse/trunk/src/simian/mac/api/dynamic_manifest.py#156
However, keeping track of users that were removed from groups in AD
would be painful, as you'd have to maintain a separate group-state
somewhere else. There's no way (again, currently) to delete all
manifests mods for a particular user or mod_type; I think the API
could be relatively easily extended to do this, though.
Another thought is the creation of a new mod_type entirely. We already
have Tags for the idea of grouping computers, and we could do
something very similar for grouping of owner usernames, which then
could be easily managed in bulk. Then we would just need to add a
OwnerGroupManifestModication:
http://code.google.com/p/simian/source/browse/trunk/src/simian/mac/models/base.py#1037
+
http://code.google.com/p/simian/source/browse/trunk/src/simian/mac/munki/common.py#645
- Justin