Jump to content


  • 0
anyweb

How can I Deploy Applications based on AD security group membership for Computers using a Task Sequence

Question

The following guide is based upon a post by Daniel Oxley on The Deployment Guys blog where he showed a MDT Task Sequence which could install applications based on Active Directory queries, I have modified the script provided and created a brand new Task Sequence for System Center Configuration Manager 2007. All you have to do is to import the Task Sequence into ConfigMgr and start dynamically installing applications.

 

Note: This post is reproduced as a Webcast here.

 

Ok first of all understand what this does and what you need done in the back-end.

 

What does this do ?

 

The task sequence will set some variables, make a call to Active Directory using a user you define within the task sequence, then based upon the results returned will set another variables value to True or False based on whether a COMPUTER is a member of an Active Directory Security Group. It can loop through this many times to install several applications 'on the fly' during an OSD task sequence, the advantage of this is that the Task Sequence becomes dynamic based upon where the COMPUTER is present in AD.

 

xp2 is a member.jpg

 

In the above Screenshot, the computer XP2 (amongst others) is a member of the FireFox Users Active Directory Security Group. Therefore if we run the Task Sequence (and thus the script) on that computer it will return a value of True for membership of the FireFox Users Active Directory Security Group and therefore the FireFox application will be installed during the Task Sequence dynamically.

 

 

 

 

What does it need ?

 


     
  • You must have created some Active Directory Security Groups in AD for the applications you are intending to dynamically install and you should add the computer account to these groups, if the computer is not a member of the Active Directory Security Group then the software will not be installed via the task sequence.
  • You must have some applications pre-created in SCCM which can install as part of a normal task sequence.
  • You will need an Active Directory user which we will use to connect to AD to get the info. (I have created a standard user called QueryAd, for security reasons you should only grant this user the appropriate access in Active Directory).
  • You will need full access to AD to add computers to the selected Active Directory Security Group(s) and to verify the Distinguished Names needed for the Task Sequence Steps.
  • You will need MDT 2010 integrated with SCCM and you will need to add the custom script CUSTOM_AppInstall.wsf to the scripts folder contained within the MDT2010Files package.
     
    custom_appinstall.wsf copied to scripts folder.jpg
     
    Once you have added the file you must update the Distribution Points for that package.

 

update dp for mdt2010 files.jpg

 

 

 

 

 

 

Editing the Task Sequence

 

Ok now that you have what is needed, let's put it into action.

 

Import the following task sequence into SCCM.

 

install APPS for COMPUTER via LDAP - multiapp.xml

 

the task sequence closeup.jpg

 

Ok let's go through the Task Sequence Step by Step. If you import the Task Sequence above you'll have all this work done for you and you'll just need to edit your application names/distinguished names/package/program location etc, but below is an explanation of how it all works and what it means.

 

 

 

Set DomUser

Here we set the username for the Active Directory User that we will use to connect to AD to verify if the Computer Account is a member of that Active Directory Security Group.

 

Set DomPassword

Password for the above user. As it's in clear text within the Task Sequence, you will want to set the users permissions accordingly in Active Directory.

 

Set FQDNDC

Set the Fully Qualified Distinguished Name for the Domain Controller, eg: ad1.server2008.lab.local

 

Set NetbiosDC

Set the Netbios name of your DC, eg: ad1

 

Use Toolkit Package

This step is copied from a standard Microsoft Deployment Toolkit Task sequence within SCCM, and as such merely points to the MDTFiles package.

 

FireFox

This is just a group name of the application we want installed.

 

Set ADGROUP

Here we set the Fully Qualified Distinguised Name of the Active Directory Security Group that we want to check in AD. eg: CN=Firefox Users,OU=Applications Group,OU=Inf,DC=server2008,DC=lab,DC=local. To find out how to obtain the Distinguished Name, please read this.

 

query LDAP

Here we actually call the CUSTOM_AppInstall.wsf script from within the previously downloaded MDTFiles package. It will return two possible values, false or true based on whether or not it can find the computer account in the Active Directory Security Group specified in the ADGROUP step above.

 

Install FireFox

This is a standard package installer step (Install a single application) which will point to your chosen application package and the program contained within. If no Program appears in the drop down menu then verify that the Program options below are set:

 

On the Environment tab of the program,

 

* Program can run: whether or not a user is logged on

* Run Mode: Allow users to interact with the program must be UNCHECKED (not selected).

 

On the Advanced tab of the program,

 

* select Allow this program to be installed from the Install Software task sequence without being advertised

 

Note: Click on the options tab and set it as follows, click on the Add condition drop down menu, select Task Sequence Variable, for Variable name enter InstallAPP for Value set True

 

This group step will run if the following conditions are met.jpg

 

 

Download the following:-

 

Here is the CUSTOM_AppInstall.wsf file zipped, Unzip and follow the instructions above to use..

 

CUSTOM_AppInstall.zip

Share this post


Link to post
Share on other sites

Recommended Posts

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.