Re: Distribute to user account objects in specific AD group in SCC

"Apps targeted to specific computer accounts should hopefully work easily
enough in the same way we did the user accounts, regarding the use of the AD
group membership"

It does NOT work the same way as users in a usergroup. It sounds like you
haven't tested that yet, so once you test that--you'll see it doesn't.
Computers in a usergroup need to be discovered from the server, then a
collection membership updated. Check out Brian Tucker's Query #1 here:
http://www.myitforum.com/articles/8/view.asp?id=7748

'Can you please advise how I go about setting up
such a query so that the advertised uninstall would run when the computer is
removed from the AD group?"

There are a few steps with this. You could combine this all into 1 query,
but it's easier to visualize this way. You'll already have your collection
(based on Brian T's query) of "computers in a usergroup". For your uninstall
query, you'll want to use a subselect query (an example of building a
subselect query is here--> http://myitforum.com/articles/1/view.asp?id=179)
to create another collection of "computers which have program XYZ displayed
in Add/Remove programs, which are NOT IN the other collection"

"As I'm using a task sequence"

Well, since a task-sequence based advertisement cannot be delivered to users
or users in a usergroup (only computers) in a collection--you might need to
reconsider your whole "deliver to users in a usergroup" plan.

Assuming you'll only be delivering TS based ads to computers--that's the
beauty of a TS. If you really think it's possible a particular app was
installed outside of ConfigMgr, you could script something to run just prior
to check for whatever it is you want to check; and exit or not, or go do
something else.
--
Standardize. Simplify. Automate.


"Troy Balmer" wrote:

Thanks Sherry.

Testing the deployment of published apps to targeted user accounts worked at
logon. Subsequent testing proved user accounts that weren't a member of the
targeted collection couldn't see the app on the PC when they logged on after
those that were a member. This should suffice for our user based scenario.

Apps targeted to specific computer accounts should hopefully work easily
enough in the same way we did the user accounts, regarding the use of the AD
group membership. I've set up the deployments and subsequent uninstalls to
computer account collections to download first, then installing/uninstaling
when no one is logged on. Hopefully this shouldn't be that much of a
problem upon removing the computer account from the AD group and invoking
the uninstall of that app. Can you please advise how I go about setting up
such a query so that the advertised uninstall would run when the computer is
removed from the AD group?

Additionally, I'm having trouble deciding the best method to ensure those
applications we deploy to all our computers actually get installed. As I'm
using a task sequence won't this automatically check to see if the included
applications are already installed anyway, then bypass that one if found?
Or should I use configuration baselines? I'm trying to avoid the
re-installation of an application, incase it's already been installed prior
to advertising the task sequence to the computer.

Many thanks.

Troy.


"Sherry Kissinger [MVP-SMS]"
<SherryKissingerMVPSMS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:85716F93-B2AF-4CA2-B946-7F812B4F9074@xxxxxxxxxxxxxxxx
For the removal when out-of-scope; no nothing dynamically without work
from
you. And it will be triple the work in your case, because you are
targeting
users (or users in usergroups) for your deployments. For example... let's
say that application XYZ 1.0 is installed when jsmith logs in; and it's
jsmith's normal computer; so xyz should stay installed. One day, the
local
Administrator account logs in while a local tech is fixing something. You
wouldn't want XYZ to uninstall in that case--but that's what it sounds
like
you wanted it to do.

If you were targeting computer accounts which were in a usergroup; then
you
could create a collection to target an uninstall to a collection of
"Computers which have XYZ application, but computer account is not in
usergroup 'whatever'" Since you're targeting users in usergroups... You
*could* attempt to leverage the Top Console User, and target "computers
which
have XYZ application where the top console user is not in usergroup
'whatever'". But wow... that's tough to do. I tried to get the query to
work myself, and it just wouldn't link the way I expected it to do. I was
able to use SLAT from SystemCenterTools instead of Top Console User. The
query is still a nightmare... but it can be done. It's also about a 7
step
process; so it's nowhere near "at logon xyz will be uninstalled". It more
like... a few hours later, xyz will be uninstalled.

I suppose I should have mentioned it earlier... but is there a overriding
reason why you want to target users in usergroups? From a back-end
technical
standpoint, it is *much* easier to manage when you add computer accounts
to
the usergroup. Your collection query end up being "computers which are a
member of usergroup xyz", not "usergroup with a name of xyz"; but it's
still
MUCH easier on you when you need to troubleshoot and manage your clients.

As someone who spent months moving my old job from users in usergroups to
computers in usergroups... please consider starting out with computers in
usergroups. Since I had to write my own scripts to deal with some of the
vagaries of users in usergroups for troubleshooting (they are on
myitforum.com) ... please think about it.
--
Standardize. Simplify. Automate.


"Troy Balmer" wrote:

Hi Sherry.

Many thanks! What you advised works a treat, but I what I had was my
test
account was already in the group when I logged it onto the target
computer.

The catch however was that after I'd done that, I then created the
package
and then linked the advertisement to the collection targeting the AD
group
the test account was in. I think that my problem was simply that it took
more time than I expected for the advertisement to reach the target
computer
when I forced the SCCM refresh. Interesting in that I've been using some
right click tools for a while now within the SCCM console that has, up
until
now, forced the policy through to the target almost immediately.

Will create another test account to see if it picks up the advertised
package at logon.

I'm yet to test this yet but is there a way that a SCCM advertisement can
be
configured to remove uninstall the associated package when the targeted
computer/user account falls out of scope (ie. removed from an AD group
which
the collection targets)? Ideally I'm wanting this to replace the
out-of-scope function that we have on several published applications in
AD
group policy.

If SCCM can't do this, how do you think I should best go about
uninstalling
packages when the target is removed from an AD group?

Greatly appreciate your assistance.

Troy.

"Sherry Kissinger [MVP-SMS]"
<SherryKissingerMVPSMS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E49DD72-5875-4641-87EA-0150F7CEC98B@xxxxxxxxxxxxxxxx
It works; I was at a company that used it for years. But with one
caveat...
which you've already discovered.

The only time (at a client) that usergroup membership is evaluated in a
way
which the ConfigMgr client understands is at logon. If the user is
already
logged on, adding that user account to a new group does not trigger the
SMS
client to 'see' that new usergroup membership. The user will need to
log
off
and back on in order for the new usergroup membership to be detected by
the
ConfigMgr client. If you watch the local logs
policyagent.log/policyevaluator.log/execmgr.log, you see it detect a
group
membership change after the logoff/on, and download new policies.
Depending
upon your environment, within 2-7 minutes the new stuff will start
installing
(if mandatory) or be available in Run Advertised Programs (if
optional).
--
Standardize. Simplify. Automate.


"Troy Balmer" wrote:


Hi.

I'm trying to determine how to configure SCCM to advertise a package
to a
collection of user accounts within an AD group. It's intended this
software
assignment would follow them regardless of the computer they log onto.

So far, I've created my collection, added my query to list the desired
AD
group, upgraded membership on the collection and verified that it
returned
the group as specified. I then created an advertisement for the
package
to
that collection (the package is set to run whilst the user is logged
on,
but
with administrator priviledges), and forced policy refresh.

Nothing appears on the target PC where my test user account (which I
added
to the AD group), either in the Run Advertisement control panel applet
or
the New Programs section in Add/Remove Programs.

This is intented to replace a series of assigned applications
currently
deployed to users via AD group policy.

In turn, I also need a method if possible to ensure other users not in
that
group don't see the application on a computer which those in the group
have
used previously.

I'm not sure how much problems I'm inheriting with the apps MSI's
being
tailored as published apps.

I would be grateful for any assistance. Many thanks.

Troy.









.

Relevant Pages

  • Re: Distribute to user account objects in specific AD group in SCC
    ... listed in the query above, however I got the above error. ... It does NOT work the same way as users in a usergroup. ... problem upon removing the computer account from the AD group and invoking ... *could* attempt to leverage the Top Console User, and target "computers ...
    (microsoft.public.sms.admin)
  • Re: Distribute to user account objects in specific AD group in SCC
    ... a subset query can only have one column. ... It does NOT work the same way as users in a usergroup. ... computer account collections to download first, ... > *could* attempt to leverage the Top Console User, and target ...
    (microsoft.public.sms.admin)
  • Re: Distribute to user account objects in specific AD group in SCC
    ... Administrator account logs in while a local tech is fixing something. ... If you were targeting computer accounts which were in a usergroup; ... *could* attempt to leverage the Top Console User, and target "computers which ... more time than I expected for the advertisement to reach the target computer ...
    (microsoft.public.sms.admin)
  • Re: Distribute to user account objects in specific AD group in SCC
    ... computer account collections to download first, ... usergroup 'whatever'" Since you're targeting users in usergroups... ... *could* attempt to leverage the Top Console User, and target "computers ... The only time that usergroup membership is evaluated in a ...
    (microsoft.public.sms.admin)
  • Re: Global Security Group members disappear
    ... Event Category: Account Management ... Security Enabled Global Group Member Removed: ... Target Account Name: Students ... Caller User Name: SENIOR$ ...
    (microsoft.public.windows.server.active_directory)