Deploy software through AD Groups linked to Collections in SCCM

[jamitupya]

Hi All,

i've been trying to figure this out for a while but keep failing totally and in utter dispair i need to ask how i can do this

 

I want to deploy software through AD Groups linked to Collections in SCCM.

 

Is there an easy way to do this, can somebody give me a basic run down on how this should occur? i want to learn it but it is just one elusive SOB at the moment :S

 

Cheers

[anyweb]

its easy to do but you need to first decide if you want to deploy software to USERS or COMPUTERS

 

the recommended way is to deploy software to COMPUTERS otherwise things can get messy (think one user using multiple computers...)

 

you will also have to enable Active Directory Discovery using the following two Discovery Methods in SCCM

 

 

Active Directory System Group Discovery

Active Directory Security Group Discovery

 

once done... in Active directory you need to setup a structure for this,

 

You will need to create some Active Directory Security Groups, and then create an OU in Active Directory and call it Applications Group

 

 

now, you need to create your corresponding Collections in SCCM,

 

so lets create three new collections

 

Office 2003

Computers in the Office 2003 Security Group

Users in the Office 2003 Security Group

 

 

The two sub collections will have separate queries to determine their contents:

 

The query for Computers in the Office 2003 Security Group shall be

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM
.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "SCCM2007\\Office 2003 Users"

 

so from the above, SCCM2007=your domain and Office 2003 Users is the Active Directory Sercurity Group you added Computer Objects to.

 

Note: To define collection queries please read this post

 

The query for Users in the Office 2003 Security Group shall be

 

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueU
serName,SMS_R_USER.WindowsNTDomain from SMS_R_User where UserGroupName = "sccm2007\\Office 2003 Users"

 

Now you can target these sub collections with software to install, so in this case you would target the collections above with an advertisement to install Microsoft Office 2003.

 

once done, you can start adding computer or user objects to the respective Active Directory Group in active directory, and based on your Discovery Methods schedule they will appear within the correct Collection

 

 

and based on the collection they are in they will receive the correct advertisement,

 

 

as this is a common question, I have renamed the topic, and pinned it.

 

 

 

Related steps:

 

How can I deploy an application using SCCM 2007 SP1 ?

 

How can I target an application to specific hardware using SCCM 2007 SP1 ?

 

how can I deploy Windows Vista SP1 using SCCM 2007 SP1 ?

 

how can I deploy Windows XP SP3 using SCCM 2007 SP1 ?

 

how can I deploy Windows Server 2008 using SCCM 2007 SP1 ?

 

 

cheers

anyweb

[murda]

Anyone care to explain me the advantage of using security groups with computer names or usernames for software deployment trough AD?

All of our sec groups are applied with usernames. My boss wants the same with SCCM.

 

What happens if an admin account take over a pc from another user. I can imagine that the software for Admins are going to be advertised towards the pc or can I prevent this?

[anyweb]

What happens if an admin account take over a pc from another user. I can imagine that the software for Admins are going to be advertised towards the pc or can I prevent this?

 

 

thats one problem with advertising software to USERS instead of COMPUTERS

 

another problem is if the user uses multiples computers, that way you could have applications being installed all over the place and it would be very hard to manage,

 

the recommended solution is to advertise your software to Computer objects within the Active Directory Security Groups

 

but remember, when you advertise software you can make it mandatory or not, if its not mandatory the user gets the choice to install it or not (if you let them), if it's mandatory then it will get installed whether the user likes it or not

 

cheers

anyweb

[murda]

thats one problem with advertising software to USERS instead of COMPUTERS

 

another problem is if the user uses multiples computers, that way you could have applications being installed all over the place and it would be very hard to manage,

 

the recommended solution is to advertise your software to Computer objects within the Active Directory Security Groups

 

but remember, when you advertise software you can make it mandatory or not, if its not mandatory the user gets the choice to install it or not (if you let them), if it's mandatory then it will get installed whether the user likes it or not

 

cheers

anyweb

 

so why did you make this collection " Users in the Office 2003 Security Group " ?

Its basicly pushing the install towards a user account?

[anyweb]

not to the account, but to the computer the user is logged onto...

 

i did it so that you can see how to target users with a query

 

both methods work but the preferable method is to target the Computer

[Kingskawn]

When you put new computers in that OU will they receive the packages? I don't think so. You have to set install once a day or something on the advertisement in order that new computers in the OU can pick up the add. No?

[anyweb]

if the computer has not received the application yet, and it's applicable then it will receive it, it all depends on your advertisement settings, but utilising AD groups is a great way of controlling how computers get software in SCCM

[jeaostro]

Hello

 

Trying this one for an application now.

 

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueU

serName,SMS_R_USER.WindowsNTDomain from SMS_R_User where UserGroupName = "ourdomain.no\\Visio 2007 Users"

 

When i try to enter this one into "edit query statement" (recourse class is "user resource") i get that "This Query has a syntax error. Are you sure you want to save it"

 

Have i missed something?

 

Thanks.

[wmmayms]

Hello

 

Trying this one for an application now.

 

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueU

serName,SMS_R_USER.WindowsNTDomain from SMS_R_User where UserGroupName = "ourdomain.no\\Visio 2007 Users"

 

When i try to enter this one into "edit query statement" (recourse class is "user resource") i get that "This Query has a syntax error. Are you sure you want to save it"

 

Have i missed something?

 

Thanks.

 

Try this instead

 

select *  from  SMS_R_User where SMS_R_User.UserGroupName = "ourdomain.no\\Visio 2007 Users"

[tecxx]

Hello anyweb,

thank you for your excellent description of the solution.

 

i implemented this on our SCCM 2007, and the user accounts appear in my "OCS.AllUsers" collection. i have then distributed our software package (ocs 2007 client in this case) to this collection, but no matter how hard i try, the users do not get the package.

 

software distribution via computer objects works excellent in our environment. what am i possibly doing wrong?

[Rajiv]

Hi anyweb,

I implemented an almost exact scenario which you presented above in my environment.

 

I cannot see the "Office 2007" security group in my query. However I do see all other groups such as "domain controllers". Why?

 

I looked at both security group's properties in AD.....they look the same to me. Both are global security groups. Other tabs are identical too.

I also see that in SCCM > queries > all security groups ...I see my "Office 2007" group. Hence SCCM does see my security group in AD.

Only when I try to create a membership query in the collection ...I don't see "Office 2007"

 

Is there something more I need to do?

[Rajiv]

I have some screenshots to share. This may explain what my problem is:

 

This is when I start editing the Query. Notice that the Resource class is the "System Resource"

 

 

Then I click the edit query statement button and I select this option: "System Group Name"

 

 

When I click on "Value" button I expect to see "ASPDEV\Office 2007 computers" in the list, but I dont!

 

 

If you'd rather see the query, here is it:

 

select * from SMS_R_System where SMS_R_System.SystemGroupName = "ASPDEV\\Domain Computers"

 

{I would like to replace "Domain Conputers" in the query to "Office 2007 computers" and I can do that manually by editing the query, but then nothing gets added to the collection}

I think that is because SCCM is not able to see "Office 2007 computers" inside the query.

 

What am I doing wrong?

Someone please help!

[Rajiv]

I found my solution here:

http://social.technet.microsoft.com/Forums/en-CA/configmgrswdist/thread/5a1a64f5-e504-45d8-9097-b72c5ca7fafb

 

Basically, I had to run the "Active Directory System Group Discovery" manually ASAP.

I was mistakenly running the "Active Directory Security Group Discovery" manually and hoping that Office 2007 group will show up.

 

Also, another interesting thread:

http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/d1693ea5-8ce3-455d-bdfc-fcd6f9184d22/

[dirtydom]

Disclaimer… while writing this post I noticed a lot of errors all over the place under system status. These issues I encountered were encountered yesterday without all of these errors occurring. I will start looking into the errors however from first glance they appear to be WSUS related which is not what I’m writing about here. I did notice a management point error explaining it’s not responding to HTTP requests (I just installed the Reporting Point yesterday so there might be a conflict between the two items using port 80?). Anyways I still felt while I look at these errors my post should still be reviewed because It is probably separate.

 

This is my second post... First I want to add to the appreciation of this forum. The information and step by step guids have proven invaluable and I really appreciate it!

 

What I am trying to figure out is why my test machine isn't responding to advertisements... I am trying to figure this out because obviously the software isn't installing from the pack.

 

Here's what I have configured...

 

I followed your instructions to configure SCCM however I did it on a windows 2003 server instead of 2008. It is a virtual Server running on VMWare ESXI. The only thing I have not done is extend the schema for SCCM or manually do anything with AD like ADSI edit. I didn't do that because this is a test environment and I did not want to intrude on AD. If that's all I have to do to resolve this issue please tell me.

 

I have successfully setup deployment of Windows XP for multiple versions of hardware which include software and driver installation specific to the hardware.

 

This software package I created is the first package so far. It is adobe reader 9. I set the package up by creating a transform file through Adobe's Customization Wizard 9.

 

• 
  

Here is the command line which works if I run it manually from a computer... *(I mean from the command line I can run this command but obviously because it is remotely and manual I have to designate the full network paths of the files)

msiexec.exe /i AcroRead.msi TRANSFORMS=AcroRead.mst /qb

 

 

 

• 
  

What I am noticing is that the PC’s Configuration manager does not know what SCCM site it is in.

 

• 
  

I am also not seeing any advertised software from the “Run Advertised Programs”

 

 

I am also getting a lot of warnings on the client when I try to run the “repair” from the configuration manager.

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 63

Date: 11/16/2009

Time: 4:47:30 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\S_1_5_21_1504005034_1371222036_1539857752_8570, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 63

Date: 11/16/2009

Time: 4:47:30 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, root\ccm\Policy\Machine, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

 

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 63

Date: 11/16/2009

Time: 4:47:30 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, AMTInvProvider, has been registered in the WMI namespace, root\cimv2\SMS, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 63

Date: 11/16/2009

Time: 4:47:29 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, AMTProvisionProvider, has been registered in the WMI namespace, root\CCM, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

 

 

 

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 5603

Date: 11/16/2009

Time: 4:47:29 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, BcdProv, has been registered in the WMI namespace, root\wmi, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Type: Warning

Event Source: WinMgmt

Event Category: None

Event ID: 63

Date: 11/16/2009

Time: 4:47:27 PM

User: NT AUTHORITY\SYSTEM

Computer: THIRDIMAGE

Description:

A provider, AAInstProv, has been registered in the WMI namespace, root\cimv2\sms, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

 

Now from the server side

• 
  

what I did was create a collection with this query to designate the security group I created for this package named adobe reader 9.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "RMS\\Adobe Reader 9"

 

 

This is what I am seeing with regard to the Advertisement status for this package.

 

When I look at a report of the active advertisements I see this

Report Name: Status of a specific advertisement

Category: Software Distribution - Advertisement Status

Comment: This report shows the status summary of all resources that have been targeted by an advertisement. The summary is broken into two parts. Acceptance status will summarize how many resources have received, rejected, or not yet received the advertisement. Delivery status will summarize the resources that have run or attempted to run the program being advertised.

Parameters: Advertisement ID RG62000B

 

Status of a specific advertisement

11/17/2009 9:31:34 AM (Number of Records: 0)

No matching records could be found.

11/17/2009 9:31:34 AM (Number of Records: 0)

 

Any ideas for which direction to take? I am sure I am missing something, sometimes all it takes is another set of eyes. This is the work I did all day yesterday so I figured I would stop wasting time and finally ask for help.

 

Thank you!

[anyweb]

have you correctly configured the boundaries for your site ?

[dirtydom]

have you correctly configured the boundaries for your site ?

 

Here is how I configured the boundary... I pointed to the single AD site we have in place for now.

 

 

Here is how I configured the discovery methods...

 

I pointed to an OU named laptops, all the machines i'm testing with as well as the security groups for software distribution are here.

[dirtydom]

any ideas? i'm mainly looking for a direction on isolating the root cause.

[Peter van der Woude]

Did you also extend the AD?

[dirtydom]

Did you also extend the AD?

 

 

No I didn't... do I need to do that in order for the software deployment to work? During my investigation I noticed this;

 

"Four actions need to be taken in order to successfully enable Configuration Manager Clients to query Active Directory Domain Services to locate site resources:

 

Extend the Active Directory schema.

Create the System Management container.

Set security permissions on the System Management container.

Enable Active Directory publishing for the Configuration Manager site." from

 

That appears to be the reason the client can't figure out what site it's in. Is the cause of this issue rooted from this not being done? I speculated that was the case and even mentioned to my boss we probably need to proceed with the more intrusive parts of testing this product. I just hated the idea of trying something out and performing an "irreversible action". I put that in quotes because that's mentioned a lot however that is not the case if you do it carefully it is not irreversible.(rant)

 

anyways thanks for the reply... I'll look forward to another one!

[jamitupya]

You nailed it, SCCM pulls data from the systems management container in order to pick up boundary and site data.

You will need to extend the schema if you wish to test further...

 

its not that scary of a process though can break... i recommend before you extend, ensure that all your replication has completed successfully using:

repadmin /replsummary or repadmin /showrepl

 

sample below....

 

C:\Users\XXXXXXXXX>repadmin /replsummary

Replication Summary Start Time: 2009-11-20 14:00:44

 

Beginning data collection for replication summary, this may take awhile:

.......

 

 

Source DSA largest delta fails/total %% error

DOMAIN1DC1 10m:43s 0 / 10 0

DOMAIN1DC2 08m:33s 0 / 10 0

SUBDOMAIN1DC1 11m:44s 0 / 14 0

SUBDOMAIN1DC2 10m:44s 0 / 8 0

 

 

Destination DSA largest delta fails/total %% error

DOMAIN1DC1 08m:39s 0 / 14 0

DOMAIN1DC2 11m:52s 0 / 14 0

SUBDOMAIN1DC2 04m:30s 0 / 14 0

 

 

Experienced the following operational errors trying to retrieve replication info

rmation:

58 - SUBDOMAIN1DC1.SUBDOMAIN1.DOMAIN.COM

[Peter van der Woude]

It is not needed to extend the AD, but it makes the proces a lot easier... When you do not want to extend the AD, then you have to use a Server Locator Point (http://technet.microsoft.com/en-us/library/bb680672.aspx).

[dirtydom]

It is not needed to extend the AD, but it makes the proces a lot easier... When you do not want to extend the AD, then you have to use a Server Locator Point (http://technet.microsoft.com/en-us/library/bb680672.aspx).

 

 

I had already added the server locator point... I think I understand you're saying it's not that easy. is that right?

[dirtydom]

You nailed it, SCCM pulls data from the systems management container in order to pick up boundary and site data.

You will need to extend the schema if you wish to test further...

 

its not that scary of a process though can break... i recommend before you extend, ensure that all your replication has completed successfully using:

repadmin /replsummary or repadmin /showrepl

 

gotcha... thanks for the clarification & instructions!

[dirtydom]

Ok.. Well it appears I managed to get it working without the schema update. I agree the schema update makes things easier and I am expecting more issues until this update is done but I was personally kept from being able to run the update because our Change Control wouldn't allow it.

 

The major only deviation from setting up SCCM is that I disabled updating AD. I did this because of all the errors I got with SCCM trying to update itself in AD and until we extend the schema it's not going to work anyway. This is in the properties of the site.

 

Then what I changed was the command line information for SCCM's client installation. I had to manually specify all the settings so the client knew where it was pointing to. This is a requirement when you have a server locator point instead of an extended schema.

 

This is the syntax I added

CCMSETUP.EXE /noservice SMSMP=tstsccm SMSSITECODE=rg6 smslp=TSTSCCM

 

This was in the properties of the program

 

Now I also followed instructions for WSUS config and noticed the client inside the package said yes under WSUS but not under the Adobe pack. I decided to remove the query information all together to make it manually add itself and requery and then this showed the client was "yes". I did that because I had tried reinstalling the client a million times and never once did the actual client say it was "yes".

 

After this the software install and udpates started right up.

 

Thanks again for everybody's help on this!!!