Re: Distribute to user account objects in specific AD group in SCC

Thanks Sherry.

Testing the deployment of published apps to targeted user accounts worked at
logon. Subsequent testing proved user accounts that weren't a member of the
targeted collection couldn't see the app on the PC when they logged on after
those that were a member. This should suffice for our user based scenario.

Apps targeted to specific computer accounts should hopefully work easily
enough in the same way we did the user accounts, regarding the use of the AD
group membership. I've set up the deployments and subsequent uninstalls to
computer account collections to download first, then installing/uninstaling
when no one is logged on. Hopefully this shouldn't be that much of a
problem upon removing the computer account from the AD group and invoking
the uninstall of that app. Can you please advise how I go about setting up
such a query so that the advertised uninstall would run when the computer is
removed from the AD group?

Additionally, I'm having trouble deciding the best method to ensure those
applications we deploy to all our computers actually get installed. As I'm
using a task sequence won't this automatically check to see if the included
applications are already installed anyway, then bypass that one if found?
Or should I use configuration baselines? I'm trying to avoid the
re-installation of an application, incase it's already been installed prior
to advertising the task sequence to the computer.

Many thanks.

Troy.


"Sherry Kissinger [MVP-SMS]"
<SherryKissingerMVPSMS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:85716F93-B2AF-4CA2-B946-7F812B4F9074@xxxxxxxxxxxxxxxx
For the removal when out-of-scope; no nothing dynamically without work
from
you. And it will be triple the work in your case, because you are
targeting
users (or users in usergroups) for your deployments. For example... let's
say that application XYZ 1.0 is installed when jsmith logs in; and it's
jsmith's normal computer; so xyz should stay installed. One day, the
local
Administrator account logs in while a local tech is fixing something. You
wouldn't want XYZ to uninstall in that case--but that's what it sounds
like
you wanted it to do.

If you were targeting computer accounts which were in a usergroup; then
you
could create a collection to target an uninstall to a collection of
"Computers which have XYZ application, but computer account is not in
usergroup 'whatever'" Since you're targeting users in usergroups... You
*could* attempt to leverage the Top Console User, and target "computers
which
have XYZ application where the top console user is not in usergroup
'whatever'". But wow... that's tough to do. I tried to get the query to
work myself, and it just wouldn't link the way I expected it to do. I was
able to use SLAT from SystemCenterTools instead of Top Console User. The
query is still a nightmare... but it can be done. It's also about a 7
step
process; so it's nowhere near "at logon xyz will be uninstalled". It more
like... a few hours later, xyz will be uninstalled.

I suppose I should have mentioned it earlier... but is there a overriding
reason why you want to target users in usergroups? From a back-end
technical
standpoint, it is *much* easier to manage when you add computer accounts
to
the usergroup. Your collection query end up being "computers which are a
member of usergroup xyz", not "usergroup with a name of xyz"; but it's
still
MUCH easier on you when you need to troubleshoot and manage your clients.

As someone who spent months moving my old job from users in usergroups to
computers in usergroups... please consider starting out with computers in
usergroups. Since I had to write my own scripts to deal with some of the
vagaries of users in usergroups for troubleshooting (they are on
myitforum.com) ... please think about it.
--
Standardize. Simplify. Automate.


"Troy Balmer" wrote:

Hi Sherry.

Many thanks! What you advised works a treat, but I what I had was my
test
account was already in the group when I logged it onto the target
computer.

The catch however was that after I'd done that, I then created the
package
and then linked the advertisement to the collection targeting the AD
group
the test account was in. I think that my problem was simply that it took
more time than I expected for the advertisement to reach the target
computer
when I forced the SCCM refresh. Interesting in that I've been using some
right click tools for a while now within the SCCM console that has, up
until
now, forced the policy through to the target almost immediately.

Will create another test account to see if it picks up the advertised
package at logon.

I'm yet to test this yet but is there a way that a SCCM advertisement can
be
configured to remove uninstall the associated package when the targeted
computer/user account falls out of scope (ie. removed from an AD group
which
the collection targets)? Ideally I'm wanting this to replace the
out-of-scope function that we have on several published applications in
AD
group policy.

If SCCM can't do this, how do you think I should best go about
uninstalling
packages when the target is removed from an AD group?

Greatly appreciate your assistance.

Troy.

"Sherry Kissinger [MVP-SMS]"
<SherryKissingerMVPSMS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E49DD72-5875-4641-87EA-0150F7CEC98B@xxxxxxxxxxxxxxxx
It works; I was at a company that used it for years. But with one
caveat...
which you've already discovered.

The only time (at a client) that usergroup membership is evaluated in a
way
which the ConfigMgr client understands is at logon. If the user is
already
logged on, adding that user account to a new group does not trigger the
SMS
client to 'see' that new usergroup membership. The user will need to
log
off
and back on in order for the new usergroup membership to be detected by
the
ConfigMgr client. If you watch the local logs
policyagent.log/policyevaluator.log/execmgr.log, you see it detect a
group
membership change after the logoff/on, and download new policies.
Depending
upon your environment, within 2-7 minutes the new stuff will start
installing
(if mandatory) or be available in Run Advertised Programs (if
optional).
--
Standardize. Simplify. Automate.


"Troy Balmer" wrote:


Hi.

I'm trying to determine how to configure SCCM to advertise a package
to a
collection of user accounts within an AD group. It's intended this
software
assignment would follow them regardless of the computer they log onto.

So far, I've created my collection, added my query to list the desired
AD
group, upgraded membership on the collection and verified that it
returned
the group as specified. I then created an advertisement for the
package
to
that collection (the package is set to run whilst the user is logged
on,
but
with administrator priviledges), and forced policy refresh.

Nothing appears on the target PC where my test user account (which I
added
to the AD group), either in the Run Advertisement control panel applet
or
the New Programs section in Add/Remove Programs.

This is intented to replace a series of assigned applications
currently
deployed to users via AD group policy.

In turn, I also need a method if possible to ensure other users not in
that
group don't see the application on a computer which those in the group
have
used previously.

I'm not sure how much problems I'm inheriting with the apps MSI's
being
tailored as published apps.

I would be grateful for any assistance. Many thanks.

Troy.








.

Relevant Pages

  • Re: Distribute to user account objects in specific AD group in SCC
    ... It does NOT work the same way as users in a usergroup. ... Testing the deployment of published apps to targeted user accounts worked at ... computer account collections to download first, ... *could* attempt to leverage the Top Console User, and target "computers ...
    (microsoft.public.sms.admin)
  • Re: Global Security Group members disappear
    ... Event Category: Account Management ... Security Enabled Global Group Member Removed: ... Target Account Name: Students ... Caller User Name: SENIOR$ ...
    (microsoft.public.windows.server.active_directory)
  • Re: Challenge with target output
    ... There is a total sheet and one sheet for each account. ... Private Sub Worksheet_Calculate ... Private Sub Worksheet_Calculate(ByVal Target As Range) ...
    (microsoft.public.excel.worksheet.functions)
  • Re: Event 627 Failure of Change Password Attempt
    ... in that a hacker does not target the guest account as they wan administrator ... network by setting a guest password. ... Target Account Name: Guest ... Caller Domain: GATEWAY-DESKTOP ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Distribute to user account objects in specific AD group in SCC
    ... account was already in the group when I logged it onto the target computer. ... The catch however was that after I'd done that, I then created the package ... more time than I expected for the advertisement to reach the target computer ...
    (microsoft.public.sms.admin)
Loading