Jump to content


  • 0
anyweb

How can I Deploy Applications based on AD security group membership for Computers using a Task Sequence

Question

The following guide is based upon a post by Daniel Oxley on The Deployment Guys blog where he showed a MDT Task Sequence which could install applications based on Active Directory queries, I have modified the script provided and created a brand new Task Sequence for System Center Configuration Manager 2007. All you have to do is to import the Task Sequence into ConfigMgr and start dynamically installing applications.

 

Note: This post is reproduced as a Webcast here.

 

Ok first of all understand what this does and what you need done in the back-end.

 

What does this do ?

 

The task sequence will set some variables, make a call to Active Directory using a user you define within the task sequence, then based upon the results returned will set another variables value to True or False based on whether a COMPUTER is a member of an Active Directory Security Group. It can loop through this many times to install several applications 'on the fly' during an OSD task sequence, the advantage of this is that the Task Sequence becomes dynamic based upon where the COMPUTER is present in AD.

 

xp2 is a member.jpg

 

In the above Screenshot, the computer XP2 (amongst others) is a member of the FireFox Users Active Directory Security Group. Therefore if we run the Task Sequence (and thus the script) on that computer it will return a value of True for membership of the FireFox Users Active Directory Security Group and therefore the FireFox application will be installed during the Task Sequence dynamically.

 

 

 

 

What does it need ?

 


     
  • You must have created some Active Directory Security Groups in AD for the applications you are intending to dynamically install and you should add the computer account to these groups, if the computer is not a member of the Active Directory Security Group then the software will not be installed via the task sequence.
  • You must have some applications pre-created in SCCM which can install as part of a normal task sequence.
  • You will need an Active Directory user which we will use to connect to AD to get the info. (I have created a standard user called QueryAd, for security reasons you should only grant this user the appropriate access in Active Directory).
  • You will need full access to AD to add computers to the selected Active Directory Security Group(s) and to verify the Distinguished Names needed for the Task Sequence Steps.
  • You will need MDT 2010 integrated with SCCM and you will need to add the custom script CUSTOM_AppInstall.wsf to the scripts folder contained within the MDT2010Files package.
     
    custom_appinstall.wsf copied to scripts folder.jpg
     
    Once you have added the file you must update the Distribution Points for that package.

 

update dp for mdt2010 files.jpg

 

 

 

 

 

 

Editing the Task Sequence

 

Ok now that you have what is needed, let's put it into action.

 

Import the following task sequence into SCCM.

 

install APPS for COMPUTER via LDAP - multiapp.xml

 

the task sequence closeup.jpg

 

Ok let's go through the Task Sequence Step by Step. If you import the Task Sequence above you'll have all this work done for you and you'll just need to edit your application names/distinguished names/package/program location etc, but below is an explanation of how it all works and what it means.

 

 

 

Set DomUser

Here we set the username for the Active Directory User that we will use to connect to AD to verify if the Computer Account is a member of that Active Directory Security Group.

 

Set DomPassword

Password for the above user. As it's in clear text within the Task Sequence, you will want to set the users permissions accordingly in Active Directory.

 

Set FQDNDC

Set the Fully Qualified Distinguished Name for the Domain Controller, eg: ad1.server2008.lab.local

 

Set NetbiosDC

Set the Netbios name of your DC, eg: ad1

 

Use Toolkit Package

This step is copied from a standard Microsoft Deployment Toolkit Task sequence within SCCM, and as such merely points to the MDTFiles package.

 

FireFox

This is just a group name of the application we want installed.

 

Set ADGROUP

Here we set the Fully Qualified Distinguised Name of the Active Directory Security Group that we want to check in AD. eg: CN=Firefox Users,OU=Applications Group,OU=Inf,DC=server2008,DC=lab,DC=local. To find out how to obtain the Distinguished Name, please read this.

 

query LDAP

Here we actually call the CUSTOM_AppInstall.wsf script from within the previously downloaded MDTFiles package. It will return two possible values, false or true based on whether or not it can find the computer account in the Active Directory Security Group specified in the ADGROUP step above.

 

Install FireFox

This is a standard package installer step (Install a single application) which will point to your chosen application package and the program contained within. If no Program appears in the drop down menu then verify that the Program options below are set:

 

On the Environment tab of the program,

 

* Program can run: whether or not a user is logged on

* Run Mode: Allow users to interact with the program must be UNCHECKED (not selected).

 

On the Advanced tab of the program,

 

* select Allow this program to be installed from the Install Software task sequence without being advertised

 

Note: Click on the options tab and set it as follows, click on the Add condition drop down menu, select Task Sequence Variable, for Variable name enter InstallAPP for Value set True

 

This group step will run if the following conditions are met.jpg

 

 

Download the following:-

 

Here is the CUSTOM_AppInstall.wsf file zipped, Unzip and follow the instructions above to use..

 

CUSTOM_AppInstall.zip

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

Hi,

 

Just thought I'd drop it in here. Another option might be to create a Collection that contains the specified AD group as member (or a query that gathers the members of the AD group) and set a collection variable. Because the Computer is member of the specified collection through it's AD group membership, it gets the specific variable available in the task sequence.

 

This way you can accomplish the same without having to do any custom scripting.

 

Just my 2 cents :)

Share this post


Link to post
Share on other sites

  • 0

Hi,

 

Just thought I'd drop it in here. Another option might be to create a Collection that contains the specified AD group as member (or a query that gathers the members of the AD group) and set a collection variable. Because the Computer is member of the specified collection through it's AD group membership, it gets the specific variable available in the task sequence.

 

This way you can accomplish the same without having to do any custom scripting.

 

Just my 2 cents :)

Hi, Can you please explain it in more detail? I have a requirement to install applications during OSD task sequence based upon membership of users into AD groups. We have the user to computer UDA preconfigured. We also have ConfigMgr user collections querying AD groups. But the challenge is to install application based upon user membership of a AD group. Can this be done without scripting?

Share this post


Link to post
Share on other sites

  • 0

Hi, thanks for great article. In your task sequence all the applications have to be pre-created as tasks and then you check whether to install or not install a particular application upon membership of the computer in AD group which is associated with application.

 

I have a requirement to install applications during OSD task sequence based upon membership of users into AD groups. We have the user to computer UDA preconfigured. We also have ConfigMgr user collections querying AD groups. But the challenge is to install application based upon user membership of a AD group. What do you suggest as best way of handling it?

 

Many thanks!

Share this post


Link to post
Share on other sites

  • 0

you could prompt for the Username via a HTA frontend and use that username instead of computername to do the checking against.

Sorry, I wasn't clear enough. I can for sure get the username before the deployment starts and also scan for user's membership of AD groups but how do we pass this information to make task sequence install the applications needed. We have 1000+ applications and same number of AD groups. I think we cannnot manually create all the application install steps in the task sequence. So, I wanted to know what are your thoughts on acheiveing this? I can create a script to query AD groups and pass on the list of group of which the user is member but have no idea how would I use that list. May be set Coalesceapp? Not sure how to do it though.

Share this post


Link to post
Share on other sites

  • 0

We have 1000+ applications and same number of AD groups. I think we cannnot manually create all the application install steps in the task sequence. So, I wanted to know what are your thoughts on acheiveing this?

 

simple, reduce the number, create a top 50 list of apps that you will install dynamically for users during the task sequence, everything else gets installed using normal Configuration manager jobs, that's how we do it where I work (global company,26000 clients)

Share this post


Link to post
Share on other sites

  • 0

simple, reduce the number, create a top 50 list of apps that you will install dynamically for users during the task sequence, everything else gets installed using normal Configuration manager jobs, that's how we do it where I work (global company,26000 clients)

Thanks for the suggestion, not sure I can reduce the list to 50. I will post some updates in coming days if I succeed.

Share this post


Link to post
Share on other sites

  • 0

Why over complicate this so much?

 

Daniel Oxley's original post had 4 actions per application to install. Niall's still has 3 actions per application to install. Multiply that by a mere 10 applications and you've got 30 actions (+ a group per set of 3 actions making it a total of 40 steps in TS).

 

I just do the following instead: created a 30 line script which gets the list of groups a computer is a member of. For each group the computer is a member of, it creates a TS variable where the name of the variable is the CN of the group and the value is set to True.

 

That way, you call the script to load the groups once and then on your conditions instead of using INSTALLAPP = True you use Firefox Users = True

 

This example works only on direct membership groups, but it can be easily modified to accommodate nested grouping by using the example here from Richard Mueller: http://www.rlmueller.net/Programs/IsMember8.txt. Should also be noted that the solution presented by both Daniel and Niall also only work in direct group membership.

 

On top of that, the solution from Daniel works out whether a computer is a member of the group by cycling through every single member until it either finds the computer or runs out of members to check against, when there's already a IsMember() method that returns True or False and can be called as:

 

Set objGroup = GetObject("LDAP://" & strGroupDN)

If objGroup.IsMember(strComputer) Then ...

 

 

 

Anyway, here's my alternative:

<job id="ZTIBde"> 
	<script language="VBScript" src="ZTIUtility.vbs"/> 
	<script language="VBScript">
	
iRetVal = ZTIProcess
ProcessResults iRetVal

Function ZTIProcess()
	ZTIProcess = Success
	
	On Error Resume Next
	
	oLogging.CreateEntry "Retrieving direct groups membership.", LogTypeInfo
	
	Set objSysInfo = CreateObject("ADSystemInfo")
	Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
	
	If IsArray(objComputer.MemberOf) Then
		For Each strGroup In objComputer.MemberOf
			oEnvironment.Item(GetObject("LDAP://" & strGroup).CN) = True
		Next
	Else
		If Len(objComputer.MemberOf) > 0 Then
			oEnvironment.Item(GetObject("LDAP://" & objComputer.MemberOf).CN) = True
		End If
	End If
	
	ZTIProcess = err.Number
End Function

	</script>
</job>

It doesn't work in WinPE as is, but why would you want it to anyway? You can't install applications whilst in WinPE (though this can be easily modified to work in WinPE too for the skeptic ones).

Share this post


Link to post
Share on other sites

  • 0

Should also be noted that the solution presented by both Daniel and Niall also only work in direct group membership.

 

Not true... This solution of Niall directly queries the Active Directory group via LDAP, so it does nothing with (direct) collection membership. Also it should be noted that Niall is giving a lot of examples and ideas of how things COULD be done.

 

While we're spamming ideas now anyway, in case someone wants to do this with Orchestrator and users, then have a look here: http://www.petervanderwoude.nl/post/new-and-improved-pre-provision-user-applications-during-os-deployment-via-orchestrator-and-configmgr-2012/

Share this post


Link to post
Share on other sites

  • 0

 

Not true... This solution of Niall directly queries the Active Directory group via LDAP, so it does nothing with (direct) collection membership. Also it should be noted that Niall is giving a lot of examples and ideas of how things COULD be done.

 

While we're spamming ideas now anyway, in case someone wants to do this with Orchestrator and users, then have a look here: http://www.petervanderwoude.nl/post/new-and-improved-pre-provision-user-applications-during-os-deployment-via-orchestrator-and-configmgr-2012/

 

Maybe it is me, I'm due to have my glasses changed soon you see, but I can't find anything about collections there, instead when I look at it my eyes read direct group membership.

 

There's this thing in AD called a group. You make other objects members of groups in a way that... ...well... groups them together.

 

So if you decide to make say ComputerA a member of Group1, you say that ComputerA is a member of Group1 through direct group membership.

 

If, however, you make ComputerA a member of Group1 and Group1 a member of Group2, then ComputerA is also a member of Group2, only through nested group membership.

 

Again: Daniel and Niall's solution do not work on nested groups. Neither does the one presented by me, but that can be easily changed by using the script from Richard Muller or a similar one.

 

Just so there's no confusion going forward: neither Daniel & Niall's solution nor my solution do anything at all with collections.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.