Jump to content


anyweb

How can I Deploy Applications based on AD security group membership for Computers using a Task Sequence

Recommended Posts

you could prompt for the Username via a HTA frontend and use that username instead of computername to do the checking against.

Sorry, I wasn't clear enough. I can for sure get the username before the deployment starts and also scan for user's membership of AD groups but how do we pass this information to make task sequence install the applications needed. We have 1000+ applications and same number of AD groups. I think we cannnot manually create all the application install steps in the task sequence. So, I wanted to know what are your thoughts on acheiveing this? I can create a script to query AD groups and pass on the list of group of which the user is member but have no idea how would I use that list. May be set Coalesceapp? Not sure how to do it though.

Share this post


Link to post
Share on other sites

We have 1000+ applications and same number of AD groups. I think we cannnot manually create all the application install steps in the task sequence. So, I wanted to know what are your thoughts on acheiveing this?

 

simple, reduce the number, create a top 50 list of apps that you will install dynamically for users during the task sequence, everything else gets installed using normal Configuration manager jobs, that's how we do it where I work (global company,26000 clients)

Share this post


Link to post
Share on other sites

simple, reduce the number, create a top 50 list of apps that you will install dynamically for users during the task sequence, everything else gets installed using normal Configuration manager jobs, that's how we do it where I work (global company,26000 clients)

Thanks for the suggestion, not sure I can reduce the list to 50. I will post some updates in coming days if I succeed.

Share this post


Link to post
Share on other sites

Why over complicate this so much?

 

Daniel Oxley's original post had 4 actions per application to install. Niall's still has 3 actions per application to install. Multiply that by a mere 10 applications and you've got 30 actions (+ a group per set of 3 actions making it a total of 40 steps in TS).

 

I just do the following instead: created a 30 line script which gets the list of groups a computer is a member of. For each group the computer is a member of, it creates a TS variable where the name of the variable is the CN of the group and the value is set to True.

 

That way, you call the script to load the groups once and then on your conditions instead of using INSTALLAPP = True you use Firefox Users = True

 

This example works only on direct membership groups, but it can be easily modified to accommodate nested grouping by using the example here from Richard Mueller: http://www.rlmueller.net/Programs/IsMember8.txt. Should also be noted that the solution presented by both Daniel and Niall also only work in direct group membership.

 

On top of that, the solution from Daniel works out whether a computer is a member of the group by cycling through every single member until it either finds the computer or runs out of members to check against, when there's already a IsMember() method that returns True or False and can be called as:

 

Set objGroup = GetObject("LDAP://" & strGroupDN)

If objGroup.IsMember(strComputer) Then ...

 

 

 

Anyway, here's my alternative:

<job id="ZTIBde"> 
	<script language="VBScript" src="ZTIUtility.vbs"/> 
	<script language="VBScript">
	
iRetVal = ZTIProcess
ProcessResults iRetVal

Function ZTIProcess()
	ZTIProcess = Success
	
	On Error Resume Next
	
	oLogging.CreateEntry "Retrieving direct groups membership.", LogTypeInfo
	
	Set objSysInfo = CreateObject("ADSystemInfo")
	Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
	
	If IsArray(objComputer.MemberOf) Then
		For Each strGroup In objComputer.MemberOf
			oEnvironment.Item(GetObject("LDAP://" & strGroup).CN) = True
		Next
	Else
		If Len(objComputer.MemberOf) > 0 Then
			oEnvironment.Item(GetObject("LDAP://" & objComputer.MemberOf).CN) = True
		End If
	End If
	
	ZTIProcess = err.Number
End Function

	</script>
</job>

It doesn't work in WinPE as is, but why would you want it to anyway? You can't install applications whilst in WinPE (though this can be easily modified to work in WinPE too for the skeptic ones).

Share this post


Link to post
Share on other sites

Should also be noted that the solution presented by both Daniel and Niall also only work in direct group membership.

 

Not true... This solution of Niall directly queries the Active Directory group via LDAP, so it does nothing with (direct) collection membership. Also it should be noted that Niall is giving a lot of examples and ideas of how things COULD be done.

 

While we're spamming ideas now anyway, in case someone wants to do this with Orchestrator and users, then have a look here: http://www.petervanderwoude.nl/post/new-and-improved-pre-provision-user-applications-during-os-deployment-via-orchestrator-and-configmgr-2012/

Share this post


Link to post
Share on other sites

 

Not true... This solution of Niall directly queries the Active Directory group via LDAP, so it does nothing with (direct) collection membership. Also it should be noted that Niall is giving a lot of examples and ideas of how things COULD be done.

 

While we're spamming ideas now anyway, in case someone wants to do this with Orchestrator and users, then have a look here: http://www.petervanderwoude.nl/post/new-and-improved-pre-provision-user-applications-during-os-deployment-via-orchestrator-and-configmgr-2012/

 

Maybe it is me, I'm due to have my glasses changed soon you see, but I can't find anything about collections there, instead when I look at it my eyes read direct group membership.

 

There's this thing in AD called a group. You make other objects members of groups in a way that... ...well... groups them together.

 

So if you decide to make say ComputerA a member of Group1, you say that ComputerA is a member of Group1 through direct group membership.

 

If, however, you make ComputerA a member of Group1 and Group1 a member of Group2, then ComputerA is also a member of Group2, only through nested group membership.

 

Again: Daniel and Niall's solution do not work on nested groups. Neither does the one presented by me, but that can be easily changed by using the script from Richard Muller or a similar one.

 

Just so there's no confusion going forward: neither Daniel & Niall's solution nor my solution do anything at all with collections.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...