Create Collection based on User AD group attribute

myITforum.com Community Forum

Home Forums Blogs Live Support chat Search Articles Wiki FAQ Email Lists Register Login My Profile Inbox Address Book My Subscription My Forums

Photo Gallery Member List Search Calendars FAQ Ticket List Log Out

All Forums RSS Feed Subscription:

Create Collection based on User AD group attribute

View related threads: (in this forum | in all forums)

Logged in as: Guest

Printable Version

All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> Create Collection based on User AD group attribute

Page: [1]

Message

<< Older Topic Newer Topic >>

Create Collection based on User AD group attribute - 10/8/2008 2:12:55 AM

ldegroot

Posts: 56
Score: 0
Joined: 4/28/2007
Status: offline

Hi all

The company I am working for performs Software updates on business group that a user belongs to, and hence I need to base these software update collection queries on the AD attributes retrieved out for the fields shown in the attached pic?

Can anyone advise the easiest way to do this?

Cheers

Thumbnail Image

Attachment (1)

Post #: 1

RE: Create Collection based on User AD group attribute - 10/8/2008 7:23:31 AM

hcortez463

Posts: 780
Score: 62
Joined: 4/8/2005
Status: offline

Are you on SMS or sccm. If on SMS the option I would recommend is Enhaced system discovery from Steve Bobosky http://www.systemcentertools.com/esd2007.html If your on SCCM you can collect this information from sytem disco.

_____________________________

If it Helps, Please rate....

(in reply to ldegroot)

Post #: 2

RE: Create Collection based on User AD group attribute - 10/8/2008 8:14:20 AM

skissinger

Posts: 2114
Score: 134
Joined: 9/13/2001
From: Sherry Kissinger
Status: offline

... that the USER belongs to... I've always hated that request. Computers get software installed, not users. Are you deploying to users or usergroups already? If so, then I'm sure you're already aware of the inherent problems with monitoring and managing deployments, licensing, and remediation because of targetting users instead of computers. If you are not, there are still ways (annoying, complicated, but possible) ways to add those user attributes to the user Discovery agent, then create collection of "computers where the top console user is in department XYZ". So in the end you are deploying to computers again--and retain the reporting, remote tools, and other benefits.

_____________________________

mofmaster@smsexpert.com (version 2007) | http://www.smsexpert.com | http://www.sccmexpert.com
My Blog
Microsoft MVP - ConfigMgr

(in reply to hcortez463)

Post #: 3

RE: Create Collection based on User AD group attribute - 10/8/2008 8:45:32 AM

hcortez463

Posts: 780
Score: 62
Joined: 4/8/2005
Status: offline

oh shut.. my bad, thought the snapshot was for a pc. :)

_____________________________

If it Helps, Please rate....

(in reply to skissinger)

Post #: 4

RE: Create Collection based on User AD group attribute - 10/8/2008 9:26:20 AM

skissinger

Posts: 2114
Score: 134
Joined: 9/13/2001
From: Sherry Kissinger
Status: offline

Lyle, I was planning on giving my first 9 or so hours to the company (I'm wierd that way), then I'll mock something up in the lab & blog it on how to get there. I've done it before under SMS2003 (pre SP3/Top Console user) using SLAT, but I want to get it working w/ConfigMgr/Top Console User in the lab. Scary, but this qualifies as "fun" to me!

_____________________________

mofmaster@smsexpert.com (version 2007) | http://www.smsexpert.com | http://www.sccmexpert.com
My Blog
Microsoft MVP - ConfigMgr

(in reply to hcortez463)

Post #: 5

RE: Create Collection based on User AD group attribute - 10/8/2008 11:14:03 AM

jnelson993

Posts: 899
Score: 127
Joined: 2/18/2005
From: Minneapolis, MN
Status: offline

BTW, I already did a proof of concept on this a while ago. There are some gotchas. 1) AD Security Group Discovery discovers all the groups, but doesn't tie them to users or computers so you'll have to either have some third party AD discovery tool or roll your own script to do so. 2) Creating the VBScript to tie the users to their security groups is no big deal (if you're already familiar with VBScript) but there are some special tricks to handle 100's of thousands of groups and some with hundreds of thousands of members AND do it quickly (binding to each account in a LOOP and finding the groups or binding to each group and looking up members can take 12+ hours when you're talking that many groups/members). 3) If you consider 200K user accounts and some 300K potential groups they could be a member of, and now you're talking 10's of millions of "membership" ddrs that need to be generated in order to get the data into SMS/CM in a supported way, and that's a time consuming process to generate and then have SMS/CM process afterwards. So it's important to work in the ability to process only the DELTAs after the first initial discovery.

_____________________________

Number2 (John Nelson)
MyITForum - Blog
MyITForum - Forum Posts

(in reply to skissinger)

Post #: 6

RE: Create Collection based on User AD group attribute - 10/8/2008 11:21:15 AM

skissinger

Posts: 2114
Score: 134
Joined: 9/13/2001
From: Sherry Kissinger
Status: offline

True. I'll be testing this in a lab which only has 3 users, so it's not very realistic in regards to how long a discovery will take. John, do you know more about Steve's EUD 2008? His web site indicates it's not out yet, but if it's similar to ESD 2008, it should hopefully do delta.

_____________________________

mofmaster@smsexpert.com (version 2007) | http://www.smsexpert.com | http://www.sccmexpert.com
My Blog
Microsoft MVP - ConfigMgr

(in reply to jnelson993)

Post #: 7

RE: Create Collection based on User AD group attribute - 10/8/2008 11:46:16 AM

jnelson993

Posts: 899
Score: 127
Joined: 2/18/2005
From: Minneapolis, MN
Status: offline

Nope, haven't seen it and we can't get money for it (I've asked)

_____________________________

Number2 (John Nelson)
MyITForum - Blog
MyITForum - Forum Posts

(in reply to skissinger)

Post #: 8

RE: Create Collection based on User AD group attribute - 10/8/2008 5:15:41 PM

ldegroot

Posts: 56
Score: 0
Joined: 4/28/2007
Status: offline

Thanks all for the responses thus far, all very appreciated.

I agree, deploying to computers will be much easier, but currently they are deploying to Business groups and want to keep this format as reboot's are scheduled at different times after patch's are applied.

The only other way I can see this working is to class the machine in a business group by way of a registry setting that is written when the user logs on to the machine via a logon script, and once a software inventory is run one will be able to split the machines into their various business groups?

Does that make sense?

Cheers

Lyle

(in reply to jnelson993)

Post #: 9

RE: Create Collection based on User AD group attribute - 10/8/2008 10:09:16 PM

skissinger

Posts: 2114
Score: 134
Joined: 9/13/2001
From: Sherry Kissinger
Status: offline

Sure, you could drop a regkey (make sure you put it into HKLM, not CurrentUser) @login. Then we could extend hardware inventory (Hardware Inv reads the registry, Software inventory doesn't) to pull back that regkey. Then you could use it easily enough for collection queries. As long as you are doing that, might as well drop in the username who ran the login script. If you need assistance with a mof edit for your sms_def.mof & configuration.mof once you have the regkeys where you want them, either check the wiki or just contact me.

_____________________________

mofmaster@smsexpert.com (version 2007) | http://www.smsexpert.com | http://www.sccmexpert.com
My Blog
Microsoft MVP - ConfigMgr

(in reply to ldegroot)

Post #: 10

Page: [1]

All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> Create Collection based on User AD group attribute

Page: [1]

Jump to:

New Messages	No New Messages
Hot Topic w/ New Messages	Hot Topic w/o New Messages
Locked w/ New Messages	Locked w/o New Messages

Post New Thread

Reply to Message

Post New Poll

Submit Vote

Delete My Own Post

Delete My Own Thread

Rate Posts

0.781