Re: Distribute to user account objects in specific AD group in SCC
- From: "Troy Balmer" <troy.balmer@xxxxxxxxxxxxxx>
- Date: Wed, 10 Dec 2008 16:04:07 +1100
Hi Sherry.
Read and implemented both articles successfully. However when I tried to
tweak the example in the subselect query, to generate a collection of
computers that had the application but weren't a member the associated AD
group, I kept getting the following error:
"*The ConfigMgr Provider reported an error.*"
Here's the two queries that I constructed after doing the example from the
link you gave me.
1st half:
select
SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client
from SMS_R_System where SystemGroupName = "INTERNAL\\App-SCCM Fin Comp Test"
This gave me a list of all the computers in the AD group.
2nd half
select SMS_G_System_SYSTEM.Name from SMS_R_System inner join
SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID =
SMS_R_System.ResourceId where SMS_G_System_SYSTEM.Name not in (select
SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client
from SMS_R_System where SystemGroupName = "INTERNAL\\App-SCCM Fin Comp
Test") order by SMS_G_System_SYSTEM.Name
Following the example I was expecting to see all the computers that were not
listed in the query above, however I got the above error.
I'm thinking perhaps it's because I can't run this subselect query on the
first query that targets an AD group. How should I get around this?
Many thanks.
Troy.
"Sherry Kissinger [MVP-SMS]"
<SherryKissingerMVPSMS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FA9EE1A9-E903-4A16-856D-89341F495753@xxxxxxxxxxxxxxxx
"Apps targeted to specific computer accounts should hopefully work easily
enough in the same way we did the user accounts, regarding the use of the
AD
group membership"
It does NOT work the same way as users in a usergroup. It sounds like you
haven't tested that yet, so once you test that--you'll see it doesn't.
Computers in a usergroup need to be discovered from the server, then a
collection membership updated. Check out Brian Tucker's Query #1 here:
http://www.myitforum.com/articles/8/view.asp?id=7748
'Can you please advise how I go about setting up
such a query so that the advertised uninstall would run when the computer
is
removed from the AD group?"
There are a few steps with this. You could combine this all into 1 query,
but it's easier to visualize this way. You'll already have your
collection
(based on Brian T's query) of "computers in a usergroup". For your
uninstall
query, you'll want to use a subselect query (an example of building a
subselect query is here-->
http://myitforum.com/articles/1/view.asp?id=179)
to create another collection of "computers which have program XYZ
displayed
in Add/Remove programs, which are NOT IN the other collection"
"As I'm using a task sequence"
Well, since a task-sequence based advertisement cannot be delivered to
users
or users in a usergroup (only computers) in a collection--you might need
to
reconsider your whole "deliver to users in a usergroup" plan.
Assuming you'll only be delivering TS based ads to computers--that's the
beauty of a TS. If you really think it's possible a particular app was
installed outside of ConfigMgr, you could script something to run just
prior
to check for whatever it is you want to check; and exit or not, or go do
something else.
--
Standardize. Simplify. Automate.
"Troy Balmer" wrote:
Thanks Sherry.
Testing the deployment of published apps to targeted user accounts worked
at
logon. Subsequent testing proved user accounts that weren't a member of
the
targeted collection couldn't see the app on the PC when they logged on
after
those that were a member. This should suffice for our user based
scenario.
Apps targeted to specific computer accounts should hopefully work easily
enough in the same way we did the user accounts, regarding the use of the
AD
group membership. I've set up the deployments and subsequent uninstalls
to
computer account collections to download first, then
installing/uninstaling
when no one is logged on. Hopefully this shouldn't be that much of a
problem upon removing the computer account from the AD group and invoking
the uninstall of that app. Can you please advise how I go about setting
up
such a query so that the advertised uninstall would run when the computer
is
removed from the AD group?
Additionally, I'm having trouble deciding the best method to ensure those
applications we deploy to all our computers actually get installed. As
I'm
using a task sequence won't this automatically check to see if the
included
applications are already installed anyway, then bypass that one if found?
Or should I use configuration baselines? I'm trying to avoid the
re-installation of an application, incase it's already been installed
prior
to advertising the task sequence to the computer.
Many thanks.
Troy.
"Sherry Kissinger [MVP-SMS]"
<SherryKissingerMVPSMS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:85716F93-B2AF-4CA2-B946-7F812B4F9074@xxxxxxxxxxxxxxxx
For the removal when out-of-scope; no nothing dynamically without work
from
you. And it will be triple the work in your case, because you are
targeting
users (or users in usergroups) for your deployments. For example...
let's
say that application XYZ 1.0 is installed when jsmith logs in; and it's
jsmith's normal computer; so xyz should stay installed. One day, the
local
Administrator account logs in while a local tech is fixing something.
You
wouldn't want XYZ to uninstall in that case--but that's what it sounds
like
you wanted it to do.
If you were targeting computer accounts which were in a usergroup; then
you
could create a collection to target an uninstall to a collection of
"Computers which have XYZ application, but computer account is not in
usergroup 'whatever'" Since you're targeting users in usergroups...
You
*could* attempt to leverage the Top Console User, and target "computers
which
have XYZ application where the top console user is not in usergroup
'whatever'". But wow... that's tough to do. I tried to get the query
to
work myself, and it just wouldn't link the way I expected it to do. I
was
able to use SLAT from SystemCenterTools instead of Top Console User.
The
query is still a nightmare... but it can be done. It's also about a 7
step
process; so it's nowhere near "at logon xyz will be uninstalled". It
more
like... a few hours later, xyz will be uninstalled.
I suppose I should have mentioned it earlier... but is there a
overriding
reason why you want to target users in usergroups? From a back-end
technical
standpoint, it is *much* easier to manage when you add computer
accounts
to
the usergroup. Your collection query end up being "computers which are
a
member of usergroup xyz", not "usergroup with a name of xyz"; but it's
still
MUCH easier on you when you need to troubleshoot and manage your
clients.
As someone who spent months moving my old job from users in usergroups
to
computers in usergroups... please consider starting out with computers
in
usergroups. Since I had to write my own scripts to deal with some of
the
vagaries of users in usergroups for troubleshooting (they are on
myitforum.com) ... please think about it.
--
Standardize. Simplify. Automate.
"Troy Balmer" wrote:
Hi Sherry.
Many thanks! What you advised works a treat, but I what I had was my
test
account was already in the group when I logged it onto the target
computer.
The catch however was that after I'd done that, I then created the
package
and then linked the advertisement to the collection targeting the AD
group
the test account was in. I think that my problem was simply that it
took
more time than I expected for the advertisement to reach the target
computer
when I forced the SCCM refresh. Interesting in that I've been using
some
right click tools for a while now within the SCCM console that has, up
until
now, forced the policy through to the target almost immediately.
Will create another test account to see if it picks up the advertised
package at logon.
I'm yet to test this yet but is there a way that a SCCM advertisement
can
be
configured to remove uninstall the associated package when the
targeted
computer/user account falls out of scope (ie. removed from an AD group
which
the collection targets)? Ideally I'm wanting this to replace the
out-of-scope function that we have on several published applications
in
AD
group policy.
If SCCM can't do this, how do you think I should best go about
uninstalling
packages when the target is removed from an AD group?
Greatly appreciate your assistance.
Troy.
"Sherry Kissinger [MVP-SMS]"
<SherryKissingerMVPSMS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E49DD72-5875-4641-87EA-0150F7CEC98B@xxxxxxxxxxxxxxxx
It works; I was at a company that used it for years. But with one
caveat...
which you've already discovered.
The only time (at a client) that usergroup membership is evaluated
in a
way
which the ConfigMgr client understands is at logon. If the user is
already
logged on, adding that user account to a new group does not trigger
the
SMS
client to 'see' that new usergroup membership. The user will need
to
log
off
and back on in order for the new usergroup membership to be detected
by
the
ConfigMgr client. If you watch the local logs
policyagent.log/policyevaluator.log/execmgr.log, you see it detect a
group
membership change after the logoff/on, and download new policies.
Depending
upon your environment, within 2-7 minutes the new stuff will start
installing
(if mandatory) or be available in Run Advertised Programs (if
optional).
--
Standardize. Simplify. Automate.
"Troy Balmer" wrote:
Hi.
I'm trying to determine how to configure SCCM to advertise a
package
to a
collection of user accounts within an AD group. It's intended this
software
assignment would follow them regardless of the computer they log
onto.
So far, I've created my collection, added my query to list the
desired
AD
group, upgraded membership on the collection and verified that it
returned
the group as specified. I then created an advertisement for the
package
to
that collection (the package is set to run whilst the user is
logged
on,
but
with administrator priviledges), and forced policy refresh.
Nothing appears on the target PC where my test user account (which
I
added
to the AD group), either in the Run Advertisement control panel
applet
or
the New Programs section in Add/Remove Programs.
This is intented to replace a series of assigned applications
currently
deployed to users via AD group policy.
In turn, I also need a method if possible to ensure other users not
in
that
group don't see the application on a computer which those in the
group
have
used previously.
I'm not sure how much problems I'm inheriting with the apps MSI's
being
tailored as published apps.
I would be grateful for any assistance. Many thanks.
Troy.
.
- Follow-Ups:
- Re: Distribute to user account objects in specific AD group in SCC
- From: Sherry Kissinger [MVP-SMS]
- Re: Distribute to user account objects in specific AD group in SCC
- From: Garth
- Re: Distribute to user account objects in specific AD group in SCC
- References:
- RE: Distribute to user account objects in specific AD group in SCCM 2007
- From: Troy Balmer
- RE: Distribute to user account objects in specific AD group in SCC
- From: Sherry Kissinger [MVP-SMS]
- Re: Distribute to user account objects in specific AD group in SCC
- From: Troy Balmer
- Re: Distribute to user account objects in specific AD group in SCC
- From: Sherry Kissinger [MVP-SMS]
- Re: Distribute to user account objects in specific AD group in SCC
- From: Troy Balmer
- Re: Distribute to user account objects in specific AD group in SCC
- From: Sherry Kissinger [MVP-SMS]
- RE: Distribute to user account objects in specific AD group in SCCM 2007
- Prev by Date: Re: AD System Discovery hanging
- Next by Date: Re: Distribute to user account objects in specific AD group in SCC
- Previous by thread: Re: Distribute to user account objects in specific AD group in SCC
- Next by thread: Re: Distribute to user account objects in specific AD group in SCC
- Index(es):
Relevant Pages
|
