jamitupya Posted May 14, 2009 Report post Posted May 14, 2009 Hi All, i've been trying to figure this out for a while but keep failing totally and in utter dispair i need to ask how i can do this I want to deploy software through AD Groups linked to Collections in SCCM. Is there an easy way to do this, can somebody give me a basic run down on how this should occur? i want to learn it but it is just one elusive SOB at the moment :S Cheers Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted May 14, 2009 Report post Posted May 14, 2009 its easy to do but you need to first decide if you want to deploy software to USERS or COMPUTERS the recommended way is to deploy software to COMPUTERS otherwise things can get messy (think one user using multiple computers...) you will also have to enable Active Directory Discovery using the following two Discovery Methods in SCCM Active Directory System Group Discovery Active Directory Security Group Discovery once done... in Active directory you need to setup a structure for this, You will need to create some Active Directory Security Groups, and then create an OU in Active Directory and call it Applications Group now, you need to create your corresponding Collections in SCCM, so lets create three new collections Office 2003 Computers in the Office 2003 Security Group Users in the Office 2003 Security Group The two sub collections will have separate queries to determine their contents: The query for Computers in the Office 2003 Security Group shall be select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM .SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "SCCM2007\\Office 2003 Users" so from the above, SCCM2007=your domain and Office 2003 Users is the Active Directory Sercurity Group you added Computer Objects to. Note: To define collection queries please read this post The query for Users in the Office 2003 Security Group shall be select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueU serName,SMS_R_USER.WindowsNTDomain from SMS_R_User where UserGroupName = "sccm2007\\Office 2003 Users" Now you can target these sub collections with software to install, so in this case you would target the collections above with an advertisement to install Microsoft Office 2003. once done, you can start adding computer or user objects to the respective Active Directory Group in active directory, and based on your Discovery Methods schedule they will appear within the correct Collection and based on the collection they are in they will receive the correct advertisement, as this is a common question, I have renamed the topic, and pinned it. Related steps: How can I deploy an application using SCCM 2007 SP1 ? How can I target an application to specific hardware using SCCM 2007 SP1 ? how can I deploy Windows Vista SP1 using SCCM 2007 SP1 ? how can I deploy Windows XP SP3 using SCCM 2007 SP1 ? how can I deploy Windows Server 2008 using SCCM 2007 SP1 ? cheers anyweb Quote Share this post Link to post Share on other sites More sharing options...
murda Posted May 22, 2009 Report post Posted May 22, 2009 Anyone care to explain me the advantage of using security groups with computer names or usernames for software deployment trough AD? All of our sec groups are applied with usernames. My boss wants the same with SCCM. What happens if an admin account take over a pc from another user. I can imagine that the software for Admins are going to be advertised towards the pc or can I prevent this? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted May 22, 2009 Report post Posted May 22, 2009 What happens if an admin account take over a pc from another user. I can imagine that the software for Admins are going to be advertised towards the pc or can I prevent this? thats one problem with advertising software to USERS instead of COMPUTERS another problem is if the user uses multiples computers, that way you could have applications being installed all over the place and it would be very hard to manage, the recommended solution is to advertise your software to Computer objects within the Active Directory Security Groups but remember, when you advertise software you can make it mandatory or not, if its not mandatory the user gets the choice to install it or not (if you let them), if it's mandatory then it will get installed whether the user likes it or not cheers anyweb Quote Share this post Link to post Share on other sites More sharing options...
murda Posted July 9, 2009 Report post Posted July 9, 2009 thats one problem with advertising software to USERS instead of COMPUTERS another problem is if the user uses multiples computers, that way you could have applications being installed all over the place and it would be very hard to manage, the recommended solution is to advertise your software to Computer objects within the Active Directory Security Groups but remember, when you advertise software you can make it mandatory or not, if its not mandatory the user gets the choice to install it or not (if you let them), if it's mandatory then it will get installed whether the user likes it or not cheers anyweb so why did you make this collection " Users in the Office 2003 Security Group " ? Its basicly pushing the install towards a user account? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 9, 2009 Report post Posted July 9, 2009 not to the account, but to the computer the user is logged onto... i did it so that you can see how to target users with a query both methods work but the preferable method is to target the Computer Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted July 30, 2009 Report post Posted July 30, 2009 When you put new computers in that OU will they receive the packages? I don't think so. You have to set install once a day or something on the advertisement in order that new computers in the OU can pick up the add. No? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 31, 2009 Report post Posted July 31, 2009 if the computer has not received the application yet, and it's applicable then it will receive it, it all depends on your advertisement settings, but utilising AD groups is a great way of controlling how computers get software in SCCM Quote Share this post Link to post Share on other sites More sharing options...
jeaostro Posted September 30, 2009 Report post Posted September 30, 2009 Hello Trying this one for an application now. select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueU serName,SMS_R_USER.WindowsNTDomain from SMS_R_User where UserGroupName = "ourdomain.no\\Visio 2007 Users" When i try to enter this one into "edit query statement" (recourse class is "user resource") i get that "This Query has a syntax error. Are you sure you want to save it" Have i missed something? Thanks. Quote Share this post Link to post Share on other sites More sharing options...
wmmayms Posted September 30, 2009 Report post Posted September 30, 2009 Hello Trying this one for an application now. select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueU serName,SMS_R_USER.WindowsNTDomain from SMS_R_User where UserGroupName = "ourdomain.no\\Visio 2007 Users" When i try to enter this one into "edit query statement" (recourse class is "user resource") i get that "This Query has a syntax error. Are you sure you want to save it" Have i missed something? Thanks. Try this instead select * from SMS_R_User where SMS_R_User.UserGroupName = "ourdomain.no\\Visio 2007 Users" Quote Share this post Link to post Share on other sites More sharing options...
tecxx Posted October 20, 2009 Report post Posted October 20, 2009 Hello anyweb, thank you for your excellent description of the solution. i implemented this on our SCCM 2007, and the user accounts appear in my "OCS.AllUsers" collection. i have then distributed our software package (ocs 2007 client in this case) to this collection, but no matter how hard i try, the users do not get the package. software distribution via computer objects works excellent in our environment. what am i possibly doing wrong? Quote Share this post Link to post Share on other sites More sharing options...
Rajiv Posted November 13, 2009 Report post Posted November 13, 2009 Hi anyweb, I implemented an almost exact scenario which you presented above in my environment. I cannot see the "Office 2007" security group in my query. However I do see all other groups such as "domain controllers". Why? I looked at both security group's properties in AD.....they look the same to me. Both are global security groups. Other tabs are identical too. I also see that in SCCM > queries > all security groups ...I see my "Office 2007" group. Hence SCCM does see my security group in AD. Only when I try to create a membership query in the collection ...I don't see "Office 2007" Is there something more I need to do? Quote Share this post Link to post Share on other sites More sharing options...
Rajiv Posted November 13, 2009 Report post Posted November 13, 2009 I have some screenshots to share. This may explain what my problem is: This is when I start editing the Query. Notice that the Resource class is the "System Resource" Then I click the edit query statement button and I select this option: "System Group Name" When I click on "Value" button I expect to see "ASPDEV\Office 2007 computers" in the list, but I dont! If you'd rather see the query, here is it: select * from SMS_R_System where SMS_R_System.SystemGroupName = "ASPDEV\\Domain Computers" {I would like to replace "Domain Conputers" in the query to "Office 2007 computers" and I can do that manually by editing the query, but then nothing gets added to the collection} I think that is because SCCM is not able to see "Office 2007 computers" inside the query. What am I doing wrong? Someone please help! Quote Share this post Link to post Share on other sites More sharing options...
Rajiv Posted November 13, 2009 Report post Posted November 13, 2009 I found my solution here: http://social.technet.microsoft.com/Forums/en-CA/configmgrswdist/thread/5a1a64f5-e504-45d8-9097-b72c5ca7fafb Basically, I had to run the "Active Directory System Group Discovery" manually ASAP. I was mistakenly running the "Active Directory Security Group Discovery" manually and hoping that Office 2007 group will show up. Also, another interesting thread: http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/d1693ea5-8ce3-455d-bdfc-fcd6f9184d22/ Quote Share this post Link to post Share on other sites More sharing options...
dirtydom Posted November 17, 2009 Report post Posted November 17, 2009 Disclaimer… while writing this post I noticed a lot of errors all over the place under system status. These issues I encountered were encountered yesterday without all of these errors occurring. I will start looking into the errors however from first glance they appear to be WSUS related which is not what I’m writing about here. I did notice a management point error explaining it’s not responding to HTTP requests (I just installed the Reporting Point yesterday so there might be a conflict between the two items using port 80?). Anyways I still felt while I look at these errors my post should still be reviewed because It is probably separate. This is my second post... First I want to add to the appreciation of this forum. The information and step by step guids have proven invaluable and I really appreciate it! What I am trying to figure out is why my test machine isn't responding to advertisements... I am trying to figure this out because obviously the software isn't installing from the pack. Here's what I have configured... I followed your instructions to configure SCCM however I did it on a windows 2003 server instead of 2008. It is a virtual Server running on VMWare ESXI. The only thing I have not done is extend the schema for SCCM or manually do anything with AD like ADSI edit. I didn't do that because this is a test environment and I did not want to intrude on AD. If that's all I have to do to resolve this issue please tell me. I have successfully setup deployment of Windows XP for multiple versions of hardware which include software and driver installation specific to the hardware. This software package I created is the first package so far. It is adobe reader 9. I set the package up by creating a transform file through Adobe's Customization Wizard 9. Here is the command line which works if I run it manually from a computer... *(I mean from the command line I can run this command but obviously because it is remotely and manual I have to designate the full network paths of the files) msiexec.exe /i AcroRead.msi TRANSFORMS=AcroRead.mst /qb What I am noticing is that the PC’s Configuration manager does not know what SCCM site it is in. I am also not seeing any advertised software from the “Run Advertised Programs” I am also getting a lot of warnings on the client when I try to run the “repair” from the configuration manager. Event Type: Warning Event Source: WinMgmt Event Category: None Event ID: 63 Date: 11/16/2009 Time: 4:47:30 PM User: NT AUTHORITY\SYSTEM Computer: THIRDIMAGE Description: A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\S_1_5_21_1504005034_1371222036_1539857752_8570, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Event Type: Warning Event Source: WinMgmt Event Category: None Event ID: 63 Date: 11/16/2009 Time: 4:47:30 PM User: NT AUTHORITY\SYSTEM Computer: THIRDIMAGE Description: A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\Machine, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Event Type: Warning Event Source: WinMgmt Event Category: None Event ID: 63 Date: 11/16/2009 Time: 4:47:30 PM User: NT AUTHORITY\SYSTEM Computer: THIRDIMAGE Description: A provider, AMTInvProvider, has been registered in the WMI namespace, root\cimv2\SMS, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Event Type: Warning Event Source: WinMgmt Event Category: None Event ID: 63 Date: 11/16/2009 Time: 4:47:29 PM User: NT AUTHORITY\SYSTEM Computer: THIRDIMAGE Description: A provider, AMTProvisionProvider, has been registered in the WMI namespace, root\CCM, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Event Type: Warning Event Source: WinMgmt Event Category: None Event ID: 5603 Date: 11/16/2009 Time: 4:47:29 PM User: NT AUTHORITY\SYSTEM Computer: THIRDIMAGE Description: A provider, BcdProv, has been registered in the WMI namespace, root\wmi, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality. Event Type: Warning Event Source: WinMgmt Event Category: None Event ID: 63 Date: 11/16/2009 Time: 4:47:27 PM User: NT AUTHORITY\SYSTEM Computer: THIRDIMAGE Description: A provider, AAInstProv, has been registered in the WMI namespace, root\cimv2\sms, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Now from the server side what I did was create a collection with this query to designate the security group I created for this package named adobe reader 9. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "RMS\\Adobe Reader 9" This is what I am seeing with regard to the Advertisement status for this package. When I look at a report of the active advertisements I see this Report Name: Status of a specific advertisement Category: Software Distribution - Advertisement Status Comment: This report shows the status summary of all resources that have been targeted by an advertisement. The summary is broken into two parts. Acceptance status will summarize how many resources have received, rejected, or not yet received the advertisement. Delivery status will summarize the resources that have run or attempted to run the program being advertised. Parameters: Advertisement ID RG62000B Status of a specific advertisement 11/17/2009 9:31:34 AM (Number of Records: 0) No matching records could be found. 11/17/2009 9:31:34 AM (Number of Records: 0) Any ideas for which direction to take? I am sure I am missing something, sometimes all it takes is another set of eyes. This is the work I did all day yesterday so I figured I would stop wasting time and finally ask for help. Thank you! Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted November 17, 2009 Report post Posted November 17, 2009 have you correctly configured the boundaries for your site ? Quote Share this post Link to post Share on other sites More sharing options...
dirtydom Posted November 17, 2009 Report post Posted November 17, 2009 have you correctly configured the boundaries for your site ? Here is how I configured the boundary... I pointed to the single AD site we have in place for now. Here is how I configured the discovery methods... I pointed to an OU named laptops, all the machines i'm testing with as well as the security groups for software distribution are here. Quote Share this post Link to post Share on other sites More sharing options...
dirtydom Posted November 19, 2009 Report post Posted November 19, 2009 any ideas? i'm mainly looking for a direction on isolating the root cause. Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted November 19, 2009 Report post Posted November 19, 2009 Did you also extend the AD? Quote Share this post Link to post Share on other sites More sharing options...
dirtydom Posted November 20, 2009 Report post Posted November 20, 2009 Did you also extend the AD? No I didn't... do I need to do that in order for the software deployment to work? During my investigation I noticed this; "Four actions need to be taken in order to successfully enable Configuration Manager Clients to query Active Directory Domain Services to locate site resources: Extend the Active Directory schema. Create the System Management container. Set security permissions on the System Management container. Enable Active Directory publishing for the Configuration Manager site." from That appears to be the reason the client can't figure out what site it's in. Is the cause of this issue rooted from this not being done? I speculated that was the case and even mentioned to my boss we probably need to proceed with the more intrusive parts of testing this product. I just hated the idea of trying something out and performing an "irreversible action". I put that in quotes because that's mentioned a lot however that is not the case if you do it carefully it is not irreversible.(rant) anyways thanks for the reply... I'll look forward to another one! Quote Share this post Link to post Share on other sites More sharing options...
jamitupya Posted November 20, 2009 Report post Posted November 20, 2009 You nailed it, SCCM pulls data from the systems management container in order to pick up boundary and site data. You will need to extend the schema if you wish to test further... its not that scary of a process though can break... i recommend before you extend, ensure that all your replication has completed successfully using: repadmin /replsummary or repadmin /showrepl sample below.... C:\Users\XXXXXXXXX>repadmin /replsummary Replication Summary Start Time: 2009-11-20 14:00:44 Beginning data collection for replication summary, this may take awhile: ....... Source DSA largest delta fails/total %% error DOMAIN1DC1 10m:43s 0 / 10 0 DOMAIN1DC2 08m:33s 0 / 10 0 SUBDOMAIN1DC1 11m:44s 0 / 14 0 SUBDOMAIN1DC2 10m:44s 0 / 8 0 Destination DSA largest delta fails/total %% error DOMAIN1DC1 08m:39s 0 / 14 0 DOMAIN1DC2 11m:52s 0 / 14 0 SUBDOMAIN1DC2 04m:30s 0 / 14 0 Experienced the following operational errors trying to retrieve replication info rmation: 58 - SUBDOMAIN1DC1.SUBDOMAIN1.DOMAIN.COM Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted November 20, 2009 Report post Posted November 20, 2009 It is not needed to extend the AD, but it makes the proces a lot easier... When you do not want to extend the AD, then you have to use a Server Locator Point (http://technet.microsoft.com/en-us/library/bb680672.aspx). Quote Share this post Link to post Share on other sites More sharing options...
dirtydom Posted November 20, 2009 Report post Posted November 20, 2009 It is not needed to extend the AD, but it makes the proces a lot easier... When you do not want to extend the AD, then you have to use a Server Locator Point (http://technet.microsoft.com/en-us/library/bb680672.aspx). I had already added the server locator point... I think I understand you're saying it's not that easy. is that right? Quote Share this post Link to post Share on other sites More sharing options...
dirtydom Posted November 20, 2009 Report post Posted November 20, 2009 You nailed it, SCCM pulls data from the systems management container in order to pick up boundary and site data. You will need to extend the schema if you wish to test further... its not that scary of a process though can break... i recommend before you extend, ensure that all your replication has completed successfully using: repadmin /replsummary or repadmin /showrepl gotcha... thanks for the clarification & instructions! Quote Share this post Link to post Share on other sites More sharing options...
dirtydom Posted December 4, 2009 Report post Posted December 4, 2009 Ok.. Well it appears I managed to get it working without the schema update. I agree the schema update makes things easier and I am expecting more issues until this update is done but I was personally kept from being able to run the update because our Change Control wouldn't allow it. The major only deviation from setting up SCCM is that I disabled updating AD. I did this because of all the errors I got with SCCM trying to update itself in AD and until we extend the schema it's not going to work anyway. This is in the properties of the site. Then what I changed was the command line information for SCCM's client installation. I had to manually specify all the settings so the client knew where it was pointing to. This is a requirement when you have a server locator point instead of an extended schema. This is the syntax I added CCMSETUP.EXE /noservice SMSMP=tstsccm SMSSITECODE=rg6 smslp=TSTSCCM This was in the properties of the program Now I also followed instructions for WSUS config and noticed the client inside the package said yes under WSUS but not under the Adobe pack. I decided to remove the query information all together to make it manually add itself and requery and then this showed the client was "yes". I did that because I had tried reinstalling the client a million times and never once did the actual client say it was "yes". After this the software install and udpates started right up. Thanks again for everybody's help on this!!! Quote Share this post Link to post Share on other sites More sharing options...