Jump to content


  • 0
jamitupya

Deploy software through AD Groups linked to Collections in SCCM

Question

Hi All,

i've been trying to figure this out for a while but keep failing totally and in utter dispair i need to ask how i can do this

 

I want to deploy software through AD Groups linked to Collections in SCCM.

 

Is there an easy way to do this, can somebody give me a basic run down on how this should occur? i want to learn it but it is just one elusive SOB at the moment :S

 

Cheers

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

its easy to do but you need to first decide if you want to deploy software to USERS or COMPUTERS

 

the recommended way is to deploy software to COMPUTERS otherwise things can get messy (think one user using multiple computers...)

 

you will also have to enable Active Directory Discovery using the following two Discovery Methods in SCCM

 

discovery_methods.jpg

 

Active Directory System Group Discovery

Active Directory Security Group Discovery

 

once done... in Active directory you need to setup a structure for this,

 

You will need to create some Active Directory Security Groups, and then create an OU in Active Directory and call it Applications Group

 

security_groups_in_ad.jpg

 

now, you need to create your corresponding Collections in SCCM,

 

so lets create three new collections

 

Office 2003

Computers in the Office 2003 Security Group

Users in the Office 2003 Security Group

 

office_2003_collections.jpg

 

The two sub collections will have separate queries to determine their contents:

 

The query for Computers in the Office 2003 Security Group shall be

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM
.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "SCCM2007\\Office 2003 Users"

 

so from the above, SCCM2007=your domain and Office 2003 Users is the Active Directory Sercurity Group you added Computer Objects to.

 

Note: To define collection queries please read this post

 

The query for Users in the Office 2003 Security Group shall be

 

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueU
serName,SMS_R_USER.WindowsNTDomain from SMS_R_User where UserGroupName = "sccm2007\\Office 2003 Users"

 

Now you can target these sub collections with software to install, so in this case you would target the collections above with an advertisement to install Microsoft Office 2003.

 

once done, you can start adding computer or user objects to the respective Active Directory Group in active directory, and based on your Discovery Methods schedule they will appear within the correct Collection

 

computers.jpg

 

and based on the collection they are in they will receive the correct advertisement,

 

advertisement.jpg

 

as this is a common question, I have renamed the topic, and pinned it.

 

 

 

Related steps:

 

How can I deploy an application using SCCM 2007 SP1 ?

 

How can I target an application to specific hardware using SCCM 2007 SP1 ?

 

how can I deploy Windows Vista SP1 using SCCM 2007 SP1 ?

 

how can I deploy Windows XP SP3 using SCCM 2007 SP1 ?

 

how can I deploy Windows Server 2008 using SCCM 2007 SP1 ?

 

 

cheers

anyweb

Share this post


Link to post
Share on other sites

  • 0

Anyone care to explain me the advantage of using security groups with computer names or usernames for software deployment trough AD?

All of our sec groups are applied with usernames. My boss wants the same with SCCM.

 

What happens if an admin account take over a pc from another user. I can imagine that the software for Admins are going to be advertised towards the pc or can I prevent this?

Share this post


Link to post
Share on other sites

  • 0
What happens if an admin account take over a pc from another user. I can imagine that the software for Admins are going to be advertised towards the pc or can I prevent this?

 

 

thats one problem with advertising software to USERS instead of COMPUTERS

 

another problem is if the user uses multiples computers, that way you could have applications being installed all over the place and it would be very hard to manage,

 

the recommended solution is to advertise your software to Computer objects within the Active Directory Security Groups

 

but remember, when you advertise software you can make it mandatory or not, if its not mandatory the user gets the choice to install it or not (if you let them), if it's mandatory then it will get installed whether the user likes it or not

 

cheers

anyweb

Share this post


Link to post
Share on other sites

  • 0
thats one problem with advertising software to USERS instead of COMPUTERS

 

another problem is if the user uses multiples computers, that way you could have applications being installed all over the place and it would be very hard to manage,

 

the recommended solution is to advertise your software to Computer objects within the Active Directory Security Groups

 

but remember, when you advertise software you can make it mandatory or not, if its not mandatory the user gets the choice to install it or not (if you let them), if it's mandatory then it will get installed whether the user likes it or not

 

cheers

anyweb

 

so why did you make this collection " Users in the Office 2003 Security Group " ?

Its basicly pushing the install towards a user account?

Share this post


Link to post
Share on other sites

  • 0

not to the account, but to the computer the user is logged onto...

 

i did it so that you can see how to target users with a query

 

both methods work but the preferable method is to target the Computer

Share this post


Link to post
Share on other sites

  • 0

When you put new computers in that OU will they receive the packages? I don't think so. You have to set install once a day or something on the advertisement in order that new computers in the OU can pick up the add. No?

Share this post


Link to post
Share on other sites

  • 0

if the computer has not received the application yet, and it's applicable then it will receive it, it all depends on your advertisement settings, but utilising AD groups is a great way of controlling how computers get software in SCCM

Share this post


Link to post
Share on other sites

  • 0

Hello

 

Trying this one for an application now.

 

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueU

serName,SMS_R_USER.WindowsNTDomain from SMS_R_User where UserGroupName = "ourdomain.no\\Visio 2007 Users"

 

When i try to enter this one into "edit query statement" (recourse class is "user resource") i get that "This Query has a syntax error. Are you sure you want to save it"

 

Have i missed something?

 

Thanks.

Share this post


Link to post
Share on other sites

  • 0

Hello

 

Trying this one for an application now.

 

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueU

serName,SMS_R_USER.WindowsNTDomain from SMS_R_User where UserGroupName = "ourdomain.no\\Visio 2007 Users"

 

When i try to enter this one into "edit query statement" (recourse class is "user resource") i get that "This Query has a syntax error. Are you sure you want to save it"

 

Have i missed something?

 

Thanks.

 

Try this instead

 

select *  from  SMS_R_User where SMS_R_User.UserGroupName = "ourdomain.no\\Visio 2007 Users"

Share this post


Link to post
Share on other sites

  • 0

Hello anyweb,

thank you for your excellent description of the solution.

 

i implemented this on our SCCM 2007, and the user accounts appear in my "OCS.AllUsers" collection. i have then distributed our software package (ocs 2007 client in this case) to this collection, but no matter how hard i try, the users do not get the package.

 

software distribution via computer objects works excellent in our environment. what am i possibly doing wrong?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.